It isn’t surprising that of all the data breaches investigated by Verizon over the past ten years, not a single company was found to be compliant with the PCI DSS at the time of the breach.
Organisations often mistakenly assume that implemented security controls are being applied effectively. Conducting a compliance assessment not only increases the likelihood of compliance audit success, but maximises the likelihood that the organisation is compliant at any given point in time.
A PCI DSS gap analysis, or pre-audit assessment, determines an organisation’s current compliance levels and outlines the specific steps required to achieve full PCI compliance. A gap analysis is often undertaken before a formal assessment by a QSA for an Attestation of Compliance (AOC), and can greatly assist organisations in establishing whether they are ready for a formal Report on Compliance (ROC) audit.
A roadmap for compliance
By highlighting those areas where the organisation is non-compliant, the gap analysis produces an assessment report and a roadmap of the activities required for achieving full compliance and accreditation.
A PCI DSS gap analysis can be likened to an actual ROC assessment, and includes a detailed review of compliance activities, such as on-site interviews with key staff, an assessment of the in-scope system components and configurations, and a physical and logical data flow analysis, in addition to examining out-of-scope components.
The QSA will be looking for documentation and other forms of evidence to confirm that the controls have been implemented and are working effectively.
Companies that are required to undertake an ROC for the first time will want to know how they can eliminate connected systems from the compliance scope, thereby reducing their compliance costs.
Reducing the scope
During such a ‘de-scoping’ exercise, the consultant typically provides a detailed overview of all business scenarios where the PCI DSS applies, and explains how to protect or remove data from these instances to limit the scope and impact of the PCI DSS.
The assessor should not only explain what is needed for remediation but also highlight the most cost-effective ways for the client to close the gaps. The PCI DSS advisor should follow an unbiased and vendor-neutral approach, working with existing tools and processes to optimise your compliance programme and explain any ambiguity around individual PCI requirements.
A compliance assessment is useful at any point in time, but is particularly valuable close to the ROC audit, offering significant reassurance to you and your team about how your data security plans stack up.