How to Conduct a PCI Gap Assessment

Is your organization ready to comply with the Payment Card Industry (PCI) Data Security Standard (DSS) framework? If you process or store credit card data, you’ll need to be. A PCI gap analysis, also known as a PCI gap assessment, can help you identify any missing or incomplete cybersecurity infrastructure you’ll need to patch before your next required audit for certification, internal or external.

How to Prepare for Compliance with a PCI Gap Assessment

The DSS framework, developed and enforced by the Security Standards Council (SSC), has 12 primary Requirements that eligible merchants need to follow. These are distributed across six primary sections, or Goals, within the framework. A successful PCI DSS gap analysis should assess for complete implementation of the given Requirements and their sub-requirements within each Goal. So, the six steps outlined below correspond directly to the PCI DSS Goals.

Step 1: Assess Security Across All Networks and Systems

The first major step in your PCI DSS gap assessment involves assessing weaknesses relevant to the first two Requirements, which collectively make up the first Goal in the DSS. The first Goal is one of the more technical of the six, governing specific architectural implementation and approaches to device and network settings and configurations for cardholder data (CHD) and the broader CHD environment (CDE).

Goal 1 is established across two Requirements and 11 sub-Requirements.

PCI DSS Requirement 1: Install and Maintain Protective Firewalls

A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 1:

• Requirement 1.1 – Maintain firewall and router configurations, including formal approval, network diagramming, required application, explicit documentation, and other settings.
• Requirement 1.2 – Maintain firewall and router configurations to restrict all connections and traffic between external, untrusted, or unprotected networks and CHD-related assets.
• Requirement 1.3 – Implement DMZ, anti-spoofing, and other protections to prohibit all forms of direct, unfiltered access between systems in the CDE and the broader internet.
• Requirement 1.4 – Maintain personal firewalls or equivalent measures on all portable computing devices (e.g., smartphones, laptops) operated in external locations
• Requirement 1.5 – Formally document policies pertinent to Requirements 1.1-1.4.

PCI DSS Requirement 2: Replace all Settings Supplied by Vendors

A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 2:

• Requirement 2.1 – Remove and replace all vendor-supplied defaults and security settings prior to installing a given system or asset on any network within the CDE.
• Requirement 2.2 – Develop and implement configuration standards for all system components, addressing known vulnerabilities and adhering to industry best practices.
• Requirement 2.3 – Utilize cryptographic controls for all non-console admin access.
• Requirement 2.4 – Maintain a robust inventory of all system components currently in-scope for PCI DSS compliance or that could be subject to it imminently.
• Requirement 2.5 – Formally document policies pertinent to Requirements 2.1-2.4.
• Requirement 2.6 – Protect shared hosted environments and CHD within them.
  • Applicable to shared hosting providers subject to PCI DSS Appendix A1.

  Step 2: Assess Protections Across All Cardholder Data

  The second major step in a PCI DSS gap assessment involves assessing integrity across all the specific safeguards required for CHD, both within the CDE and in preparation for transmission outside it. These include various protections specific to personal and personally identifiable information (PII) included within CHD sets, for which a PII scanner can help immensely.

  In total, this step assesses for 10 DSS sub-Requirements, distributed across two primary DSS Requirements.

  PCI DSS Requirement 3: Protect Cardholder Data in Storage

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 3:

  • Requirement 3.1 – Limit CHD storage through a retention and disposal program, reducing the amount and duration of CHD storage to minimum possible extents.
  • Requirement 3.2 – Ensure no credentials or sensitive authentication information is retained after authentication, even if encrypted—render received data unrecoverable.
  • Requirement 3.3 – Obscure all personal account numbers (PANs) when displayed, limited to the first six or last four digits of the entire PAN sequence at a maximum.
  • Requirement 3.4 – Render PAN sequences completely unreadable in all storage, including all portable digital media, through truncation, cryptography, hashes, etc.
  • Requirement 3.5 – Implement protections to safeguard cryptographic keys used in storage or transmission of CHD, restricting access to the minimum extent possible.
  • Requirement 3.6 – Document all processes specific to generating, maintaining, and processing cryptographic keys (beyond the documentation for 3.7 below).
  • Requirement 3.7 – Formally document policies pertinent to Requirements 3.1-3.6.

  PCI DSS Requirement 4: Encrypt Cardholder Data for Transit

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 4:

  • Requirement 4.1 – Utilize strong cryptographic keys and other controls to protect CHD when transmitted over open, public, and other networks outside of organizational control.
  • Requirement 4.2 – Prohibit traffic of PANs and other sensitive personal information on any end-user messaging technologies, including but not limited to SMS, email, etc.
  • Requirement 4.3 – Formally document policies pertinent to Requirements 4.1-4.3.

  Step 3: Assess Approaches to Vulnerability Management

  The third step involved in a PCI DSS gap assessment includes assessing risk management programs. More specifically, you should be scanning for threat and vulnerability management capacities. These can function passively or more actively, as in the case of a threat hunting or managed detection and response (MDR) program.

  There are 11 sub-Requirements to assess.

  PCI DSS Requirement 5: Maintain Antimalware Configurations

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 5:

  • Requirement 5.1 – Install and maintain robust antivirus software and protections on all system components likely to be targeted by malware (i.e., personal computers, etc.).
  • Requirement 5.2 – Ensure antivirus tools are current, generating audit logs (see 10.7).
  • Requirement 5.3 – Ensure antivirus tools cannot be incapacitated by any users.
  • Requirement 5.4 – Formally document policies pertinent to Requirements 5.1-5.3.

  PCI DSS Requirement 6: Develop Secure Apps and Systems

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 6:

  • Requirement 6.1 – Establish procedures to scan for, detect, and identify all security vulnerabilities and codify them according to a rating system (i.e., high, medium, low, etc.).
  • Requirement 6.2 – Ensure all critical systems are protected against vulnerabilities by installing available vendor-supplied patches and solutions within a month of release.
  • Requirement 6.3 – Ensure security of internally and externally developed software and applications in accordance with all DSS controls, industry standards, and best practices.
  • Requirement 6.4 – Implement change control processes across all system components.
  • Requirement 6.5 – Address common coding vulnerabilities by training staff annually.
  • Requirement 6.6 – Implement ongoing threat assessment for public-facing applications.
    Applicable irrespective of, and in addition to, scans specified in 11.2 below.
  • Requirement 6.7 – Formally document policies pertinent to Requirements 6.1-6.6.

  

  Step 4: Assess Identity and Access Management Measures

  The fourth step to implementing a successful PCI DSS gap assessment involves scanning for effective identity and access management (IAM) protocols, such as multifactor authentication (MFA) and various other technical and physical measures. This is the most robust Goal within the PCI DSS framework, encompassing 21 sub-Requirements across three Requirements.

  PCI DSS Requirement 7: Restrict Data Access By Need to Know

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 7:

  • Requirement 7.1 – Restrict access to all system components containing CHD to individuals who require access and limit access to the minimum extent possible.
  • Requirement 7.2 – Deny all access that doesn’t meet the defined “need-to-know” criteria.
  • Requirement 7.3 – Formally document policies pertinent to Requirements 7.1-7.2.

  PCI DSS Requirement 8: Authenticate Identity for System Access

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 8:

  • Requirement 8.1 – Design and implement policies for identity management, including strict control over creation, deletion, modification, and all general use of user IDs.
  • Requirement 8.2 – Implement MFA for non-consumer and admin access to the CDE.
  • Requirement 8.3 – Implement MFA for all non-console admin access and remote use.
  • Requirement 8.4 – Provide robust educational guidance to all users on selecting strong user credentials, changing them, and maintaining the overall security of their user IDs.
  • Requirement 8.5 – Prohibit the use of all generic and shared user IDs or credentials.
  • Requirement 8.6 – Ensure security in all situations in which alternative authentication methods are used (i.e. tokens) by preventing individuals from sharing forms of access.
  • Requirement 8.7 – Ensure all access to databases containing CHD is limited to programmatic methods undertaken by administrators via single-use app IDs.
  • Requirement 8.8 – Formally document policies pertinent to Requirements 8.1-8.7.

  PCI DSS Requirement 9: Restrict Physical and Proximal Access

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 9:

  • Requirement 9.1 – Implement facility entry controls to monitor and restrict CDE traffic.
  • Requirement 9.2 – Implement protocols for easily distinguishing between authorized personnel and authorized visitors, such as through badges or tokens upon entry.
  • Requirement 9.3 – Control physical access for all onsite personnel by requiring authorization upon entry and maintain the ability to revoke access as needed.
  • Requirement 9.4 – Implement procedures to authorize (or restrict) visitor access.
  • Requirement 9.5 – Implement physical safeguards (and backups) for all media.
  • Requirement 9.6 – Monitor and restrict internal and external distribution of media, including classification, secure couriers, and approval for all media transmissions.
  • Requirement 9.7 – Implement control over all media storage and accessibility.
  • Requirement 9.8 – Ensure media is destroyed properly (i.e., shredded, pulped, burned, etc.) when it is no longer needed to satisfy business, legal, or other requirements
  • Requirement 9.9 – Protect devices that physically interact with cards to capture CHD.
  • Requirement 9.10 – Formally document policies pertinent to Requirements 9.1-9.9.

  Step 5: Assess Network Monitoring or Testing Capabilities

  The penultimate step toward a successful PCI DSS gap assessment involves a meta-level assessment of your capacities to assess. Specifically, this PCI DSS Goal ensures that your organization has the required visibility and reporting architecture in place to conduct regular patch availability reports and other audits, which in turn inform repetitive work.

  You’ll need to assess the implementation of 15 total sub-Requirements, distributed across 2 Requirements.

  PCI DSS Requirement 10: Monitor Access to Networks and Data

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 10:

  • Requirement 10.1 – Install audit trails linking all system access to respective users.
  • Requirement 10.2 – Automate audit trails to capture and reconstruct (to the extent possible) users’ access to CHD, use of admin privileges, access to audit trails, etc.
  • Requirement 10.3 – Ensure audit trails record, at a minimum: user IDs, event types, dates and times of access, success or failure, event origination, and data impacted.
  • Requirement 10.4 – Synchronize all clocks critical to internal system functionalities.
  • Requirement 10.5 – Protect audit trails and relevant data against all alterations.
  • Requirement 10.6 – Regularly review audit trails for indicators of irregular activity.
  • Requirement 10.7 – Retain all audit trail data for one year at a minimum, with three months’ worth of relevant data available for immediate access and detailed analysis.
  • Requirement 10.8 – Ensure critical system failures can be reported on immediately.
  • Applicable exclusively to Service Providers, distinct from eligible Merchants.
  • Requirement 10.9 – Formally document policies pertinent to Requirements 10.1-10.9.

  PCI DSS Requirement 11: Run Regular Tests of System Efficacy

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 11:

  • Requirement 11.1 – Install processes to scan for wireless access points; detect, inventory, and address unauthorized points at regular intervals (at least quarterly).
  • Requirement 11.2 – Implement vulnerability scans at regular intervals (at least quarterly) and after any significant change to system or network components.
  • Requirement 11.3 – Integrate regular penetration tests (at least annually).
  • Requirement 11.4 – Install and maintain up-to-date intrusion prevention tools.
  • Requirement 11.5 – Install and maintain up-to-date change detection tools, such as a File Integrity Monitoring (FIM) system, along with capacities to respond to irregularities.
  • Requirement 11.6 – Formally document policies pertinent to Requirements 11.1-11.5.

  Step 6: Assess Information Security Policy Implementation

  The final step to your PCI DSS gap assessment should be relatively straightforward compared to all the others. Requirements 1-11 all include a sub-requirement for the formal documentation of all pertinent policies specific to that parent Requirement. These efforts directly pertain to Requirement 12, which builds on these formalities.

  Security program advisory is the best way to ensure that all 11 sub-Requirements within Requirement 12 are followed beyond conducting gap assessment.

  PCI DSS Requirement 12: Maintain Policies Addressing all Staff

  A PCI gap analysis needs to focus on the following sub-Requirements for Requirement 12:

  • Requirement 12.1 – Develop, distribute, and maintain a formal, unified security policy.
  • Requirement 12.2 – Implement risk-assessment procedures at least annually and on special occasions related to changes in the CDE and risk environment, per the policy.
  • Requirement 12.3 – Define and enforce appropriate use cases for critical technologies.
  • Requirement 12.4 – Ensure that security policies address responsibilities for all staff.
  • Requirement 12.5 – Delegate responsibilities specific to security policy implementation.
  • Requirement 12.6 – Ensure awareness of policies through formalized policy training.
  • Requirement 12.7 – Reduce risks for new and onboarding personnel with screening.
  • Requirement 12.8 – Ensure third parties are aware of and follow defined policies.
  • Requirement 12.9 – Formally notify customers of responsibilities regarding CHD.
    • Applicable exclusively to Service Providers, distinct from eligible Merchants.
    • Requirement 12.10 – Prepare for immediate, programmatic response to a data breach.
    • Requirement 12.11 – Review policy implementation regularly (at least quarterly).
      • Applicable exclusively to Service Providers, distinct from eligible Merchants.

      RSI Security: Professional PCI DSS Gap Analysis Partners

      Preparing for long-term PCI compliance involves much more than PCI gap assessment. You also need to address identified issues, install required controls, and then (depending on Merchant Level) verify your implementation.

      RSI Security offers a suite of PCI compliance advisory and verification services. As an Approved Scanning Vendor (ASV) who can assist with Requirement 11, and as a Qualified Security Assessor (QSA), we can complete an Attestation of Compliance (AOC) or Report on Compliance (ROC)—if you need one. Contact us today to get started!