How to perform a PCI DSS gap analysis

Complying with the Payment Card Industry Data Security Standard (PCI DSS) can be complicated and time-consuming, but you can reduce that burden with a PCI DSS gap analysis. It’s usually the first step towards compliance, as it provides a detailed comparison of what an organisation is currently doing against what it should be doing.

By identifying this gap, organisations can:

  • Create a snapshot of PCI DSS compliance;
  • Identify areas requiring immediate attention;
  • Avoid data breaches and the associated negative effects; and
  • Improve cost forecasting and budget justification for a PCI compliance programme.

Many people aren’t sure how a PCI DSS gap analysis process works, so we’ve outlined some important things that you need to know.


Whether you’re undertaking a new programme or reviewing your existing status, the first thing you’ll need to do is establish the scope of the project.

A scope that’s too narrow can lead to cardholder data being compromised, and a scope that’s too broad can unnecessarily increase the cost of the implementation or even undermine the effectiveness of the whole programme. Trying to do too much will overcomplicate proceedings, leaving your organisation with a false sense of security and liable to neglect the fundamentals – which can be tricky enough in themselves.

If you want to know the ideal scope for your PCI DSS gap analysis, you should take a look at our PCI DSS Documentation Toolkit.

This toolkit provides a scoping guide, which will help you make sure that all relevant aspects of the business are covered in the scope and define a framework for categorising system components both inside and outside the cardholder data environment.

The gap analysis

The analysis should focus on the 12 requirements of the PCI DSS:

  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

These are all complicated requirements, so you’ll need help. This doesn’t necessarily mean you have to outsource the task – although that option is available – but, as with the scoping process, you’ll almost certainly benefit from our PCI DSS Documentation Toolkit.

Accelerate your PCI DSS project

The toolkit provides a set of project management tools, such as a roles and responsibilities matrix, a document checker, a gap analysis tool and an encryption key management guide.

All the templates have been designed from a PCI audit perspective by a PCI qualified security assessor (QSA), and can easily be customised.

Take a free trial >>

Find out more about our PCI DSS Documentation Toolkit >>

One Response

  1. Andrew Dalrymple 12th October 2017