A PCI Gap Assessment can be a valuable resource for your organization as you first begin your journey on PCI (before your first assessment) or while transitioning between PCI DSS versions (from version 3.2.1 to 4.0). The PCI Gap Assessment will help you understand where you are and tell you where you need to go. So why would you want to have a PCI Gap Assessment compared to just doing an assessment?
The answers are time and money. By using a PCI Professional to do the PCI Gap Assessment, you will know exactly what you need to do in order to be compliant with PCI DSS. You’re saving time and money by not having to begin a full assessment and needing to re-engage in order to get a passing result. Typically, a gap assessment will be more of a high-level look at your organization’s PCI DSS compliance program, to determine the biggest gaps that could cause you to fail.
If you’re looking to begin your organization’s transition from version 3.2.1 to version 4.0, you should be looking to conduct a PCI DSS gap assessment before jumping in head first. For the remainder of this article, we are going to be looking at a PCI gap analysis through this lens.
- What is a PCI Gap Assessment?
- What’s The Benefit?
- The PCI Gap Assessment Process
- Step 1: Review Your Governance, Risk, and Compliance (GRC) Programs
- Step 2: Identify Where Your Cardholder Data Is
- Step 3: Assess Network Security
- Step 4: Review Security Operations (Vulnerability Management)
- Step 5: Review Identity and Access Management
- Step 6: Check Network Monitoring (Logging)
- Step 7: Check Your Physical Security
- How Long Does a Gap Assessment Take?
- Do You Need Scoping Before a Gap Assessment?
- How Often is a PCI Gap Assessment Performed?
- How Much does a PCI Gap Analysis Cost?
- Is PCI Gap Assessment Worth It?
What is a PCI Gap Assessment?
A PCI DSS gap assessment looks at your environment in its current state and compares it to the new requirements, thus helping you determine how to “bridge the gaps.” There are numerous changes from PCI DSS version 3.2.1 to version 4.0. A gap assessment will take your current PCI DSS compliance program into consideration and identify where you might potentially fail a PCI 4.0 assessment.
While you can perform a PCI gap analysis internally, it’s best to consult a PCI DSS Professional, such as a Qualified Security Assessor or PCIP. If you have a PCI ISA at your organization, ensure they have taken the free PCI DSS 4.0 training from the PCI Council to ensure they are familiar with the new DSS requirements in order to properly conduct a gap assessment.
The person performing your gap assessment should provide you with a completed document that describes both the current state of your compliance and where you need to go. Use this resource to ask to provide options of potential remediations or fixes to remediate the findings, in addition to other concerns. Furthermore, having another set of eyes on your environment can help you to identify items that you might have missed before.
While a PCI DSS gap analysis is not a process that leads directly to PCI DSS compliance, it will help you get compliant faster by fixing your controls before the overall assessment.
What’s The Benefit?
As mentioned previously, the benefit of a PCI gap analysis is saving both time and money. You can think of these benefits as being organization-wide but also think about how that trickles down into individual teams. The less time spent doing assessment prep instead of doing actual assessment work can be significant.
Taking a step back and looking at your environment in a holistic manner from the top down can also help you find problems before they grow into issues. If you are in a compliance crunch time, the last thing you need is for a huge remediation to be completed in order to get your compliance. The gap assessment can help you find these issues before they hurt you.
As your environment changes, your business grows, and as things change, having a gap assessment completed every five years can be very helpful. As you have the same people and assessors looking at things over time, assumptions can be made and problems missed. Having a fresh perspective from outside resources can be a good thing in the context of a no-pressure environment, like a gap assessment.
The PCI Gap Assessment Process
The PCI Gap Assessment process is quite similar to an actual PCI DSS assessment.
The difference is that you aren’t conducting as many interviews or collecting as much evidence and documentation, but instead are looking for information and potential gaps.
The following steps will help guide you through a PCI Gap Assessment.
Step 1: Review Your Governance, Risk, and Compliance (GRC) Programs
Your GRC processes will dictate the rest of these steps. Without guidance and enforcement from the top of your organization, PCI will not be taken seriously or given the necessary resources to achieve or maintain compliance.
Have policies and procedures documented for all of the following areas in the remaining steps. Ensure that both your Information Security and Acceptable Use Policies are solid and contain the appropriate information. Ultimately your Information Security Policy should be your source of truth for all things information security, including PCI DSS.
These items are primarily in Requirement 12.
Step 2: Identify Where Your Cardholder Data Is
How can you know what you need to protect if you don’t know where it is? This is where your scoping exercises, network diagrams, and data flow diagrams need to be sound.
Use these documents to create an inventory of all assets (people, places, and things) that store, process, or transmit cardholder data. That phrase is key to understanding PCI scoping. Knowing where your data is stored or where and how you can migrate this data and systems into a segmented PCI Zone can further reduce your overall scope for PCI DSS.
Make sure that you protect this data in storage and during transit. Specifically, protect the physical media and the facility.
Once you have this information, you can then further refine your GRC processes and these remaining steps to focus on these systems and the cardholder data.
These items are primarily covered in Requirements 3, 4, and 9.
Step 3: Assess Network Security
For any network in scope, you need to make sure that you have the appropriate network devices in scope and the appropriate configurations for all. From your inventory, make sure that you have Configuration Baselines documented for each technology. Maintain your firewalls, restrict external/untrusted networks from your internal network, make sure that endpoint devices have personal firewalls and AV, and make sure that there are policies around these devices.
Additionally, confirm that you have deployment processes, preferably in the Configuration Baselines, to remove vendor-supplied defaults and any insecure default settings.
These items are primarily covered in Requirements 1 and 2.
Step 4: Review Security Operations (Vulnerability Management)
If you aren’t checking for holes in your environment, know that hackers are. Commonly known vulnerabilities should be no excuse for a breach. While zero-day vulnerabilities are harder to protect against (this is where defense in depth comes in) you need to make sure that you are performing vulnerability scans and internal/external penetration tests. You must also have quarterly Approved Scanning Vendor (ASV) scans for your external points.
NOTE: If you’re looking to choose an ASV, see our list of top-rated Approved Scanning Vendors here.
This step also includes making sure that endpoints have some sort of antimalware solution to scan the system and check for abnormal behavior. In the event that an endpoint is exposed to malware, this software will help to protect the rest of the environment.
Vulnerability management also extends into your in-scope applications. Your code and applications should be scanned. Before code is deployed, use a code-scanning tool to make sure you don’t have any common vulnerabilities. For web applications, use a scanning tool to check various common attacks like SQL injection, cross-site scripting, and more.
These items are covered primarily in Requirements 5 and 6.
Step 5: Review Identity and Access Management
Now that you know where your data is, you need to know who has access to it and figure out if they really need it. The best practice is to restrict access to card data as much as possible. For larger organizations, you need to have an IAM platform to offset the difficulty that comes with managing that level of access. Have MFA in place to ensure that compromised credentials alone won’t give hackers access to your data. MFA applies to both admins and users with access. If admins don’t have MFA, hackers can give themselves access.
For every individual that has access to cardholder data, ensure that you have documented approvals from managers or leadership. Tie the approvals with justification to the access, such as job roles or job titles, so that you can justify process access over purely individual access. For example, if this team is your call center and they handle calls with card numbers you can group them together. But make sure your groups are segmented. If a group of agents does not handle calls with card numbers, create a specific group for the ones who do and limit access to that group.
These items are covered primarily in Requirements 7 and 8.
Step 6: Check Network Monitoring (Logging)
While you have defense-in-depth already started, you still need to monitor your network. Systems and applications can be generating security logs, but if they aren’t being monitored and acted upon, then what’s the point? You need to have visibility and reporting in place to identify actions that users and systems are taking in your environment.
Ensure that you have wireless network scanning in place to continuously detect rogue wireless access points. This is required even if you don’t have a wireless network attached to your card data environment (CDE).
This is also where vulnerability management, internal/external penetration tests, IDS/IPS, firewalls, and other network tools come back into play.
These items are covered primarily in Requirements 10 and 11. For more on PCI logging requirements see our in-depth article.
Step 7: Check Your Physical Security
All these technical protections are pointless if attackers can walk right through the front door. Ensure that you have security cameras, badge cards, lock boxes, visitor logs, and other physical security measures in place for any physical location that stores cardholder data. This includes the computing hardware (servers, hard drives, RAM) and network lines where this data is stored or transmitted as well as paper records.
These items are covered primarily in Requirement 9.
How Long Does a Gap Assessment Take?
The timeline for a PCI gap analysis depends on a number of factors including:
- How mature your processes currently are
- The size of your environment
- The SAQ you are performing
- How strong your overall cybersecurity posture is
For smaller environments, you can expect for around a month while larger environments can take a few months minimum.
Do You Need Scoping Before a Gap Assessment?
Scoping is step 0 for any PCI assessment. You need to know what you have to protect in order to protect it. Most importantly, scoping is the critical moment where you can reduce the time, resources, and budget required for the rest of your retirement effort.
Whether this is your first endeavor in PCI, or if you’ve had PCI DSS assessments before, you still need to do scoping. In PCI DSS 4.0, annual scoping exercises are now required to ensure that you have your environment assessed properly. This is the responsibility of the assessed entity (you).
At a bare minimum, it is always helpful to have another set of eyes looking at your environment and asking different questions. This should give you better confidence that you have the right scoping for your assessment.
How Often is a PCI Gap Assessment Performed?
There is no set frequency for when you should perform a PCI gap analysis. As mentioned previously, every five years is a good rule of thumb. The primary time when you should perform a new gap assessment is for new PCI DSS versions. With the transition to PCI 4.0 from version 3.2.1, there are over 60 changes which range from small and simple to quite complex depending on your environment.
How Much does a PCI Gap Analysis Cost?
Since a PCI gap assessment is a smaller-scale PCI DSS assessment there is significant work that must be performed. Again, the cost will weigh heavily on the factors listed in How Long Does a Gap Assessment Take? Typically you can expect assessments to cost anywhere from a few thousand dollars to $10,000. Paying for a reliable and knowledgeable PCI Professional is extremely valuable.
Is PCI Gap Assessment Worth It?
Do you really need to have a PCI gap assessment? The simple answer is “No.” But do the benefits significantly outweigh the costs? Yes.
If you aren’t completely confident in your current PCI DSS processes then you should consider getting a PCI Professional to perform a gap assessment. Additionally, if you are preparing for PCI 4.0 and you aren’t a PCI Professional, you should also consider getting a PCI Professional to perform a gap assessment.
Overall the only cons to a PCI gap analysis are the time and cost. While both matter, the time and cost to recover from a breach involving PCI data is much more than the gap assessment let alone the reputational damage. As with anything in compliance and cybersecurity, being prepared is key. A PCI Gap Assessment will only help you and your journey to PCI compliance and overall better cybersecurity.