PCI Data Security Standard Gap Assessment

A PCI Compliance Gap Assessment is designed to uncover elements of the existing environment and security controls that are not in line with the PCI Data Security Standard by evaluating whether each of the 230 specific requirements within the PCI DSS are being addressed appropriately.

Using the PCI audit framework as a guide, this assessment consists of data gathering and interview-style reviews of the existing environment, as well as hands-on analysis of systems on a sampling basis.

The PCI Compliance Gap Assessment is very similar to an On-Site PCI Audit, except that a smaller sampling set will be used when evaluating system and device configurations, and documented evidence for each PCI requirement will not be gathered as it would be in an actual audit.

By gathering information about the present configuration of systems and security controls, Halock can determine where gaps exist with the PCI Data Security Standard and will provide appropriate recommendations for correcting those gaps.

Deliverables from the PCI Compliance Gap Assessment will include recommendations for appropriate remediation efforts to bring the PCI-related IT segments into compliance with the PCI Data Security Standard.
  • Review scope for PCI Gap Assessment, based upon known locations of cardholder data, network design, access controls, and other relevant information
  • Review roles and responsibilities and collect relevant documentation (diagrams, policies & standards, operational security procedures, third-party contracts, etc.)
  • Collaboratively work through the PCI gap assessment worksheet, determining current compliance status for each PCI requirement as it applies to each of the defined scope areas (only known items will be addressed here – items will a questionable status will be checked during fieldwork)
  • Assign follow-up tasks for validating the status of all open items (may include members from Halock and/or your organization teams)
  • Designated personnel from Halock and/or your organization will gather necessary information to determine compliance status for all open items on the PCI Compliance Gap Assessment Worksheet.
  • On a sampled basis, certain controls will be validated by direct observation to ensure PCI requirements are being fully met
  • Additional working sessions with the your organization PCI team may be required during the fieldwork phase in order to discuss preliminary findings, check status on assigned tasks, or to provide guidance for parallel efforts for remediating open issues already discovered
  • All findings will be documented to show the current status of PCI compliance, with findings arranged according to scope area and PCI requirements (see Appendix B for a sample)
  • For each of the 12 main PCI requirements, specific recommendations will be provided for addressing open items from the PCI DSS.
  • In addition to specific recommendations for remediation, a high-level strategy for achieving PCI compliance will also be provided, allowing for an appropriate prioritization of PCI-related work efforts
 

On-Demand Vulnerability Scanning:

Allows for unlimited scanning of Internet IP addresses to enable ongoing compliance with PCI quarterly vulnerability scanning requirement. Online filing allows for automatic notification to acquiring bank once compliance is achieved.

PCI Compliance Management Portal:

An online portal designed to facilitate PCI compliance efforts and to assist in managing all work efforts related to acheiving PCI compliance. Portal includes PCI related news articles with expert analysis, a comprehensive PCI knowledgebase, downloadable tools and templates, and more.