The golden rule of thumb when following a recipe is of course to make sure you have all of the ingredients on hand before getting started. Much like scouring your cupboards to ensure you have just the right amount of flour, sugar and salt, a Payment Card Industry Data Security Standard (PCI DSS) Gap Analysis requires a holistic view of your organization’s data environment and a step-by-step plan to follow in order to fulfill PCI DSS compliance regulations.
The Ingredients for PCI DSS Compliance
Honestly, I do not think there is a payment card expert in the world that would argue that the 12 Requirements of the PCI DSS are anything more than the most common-sense and practical collection of best practices for mitigating risk to your payments process.
I often think of the requirements as a recipe. Except, at the end of the process you haven’t prepared a delightful meal, but delivered a full program of people, processes and technologies, that if routinely maintained, will significantly protect your organization’s livelihood by allowing for a secure payment process and protecting from the massive and costly repercussions that can occur as the result of a payment card data breach.
As recipes in the kitchen vary greatly in the time and difficulty it takes to make them, the recipe for PCI DSS compliance falls on the more difficult end. With twelve significant “ingredients” or requirements, plus dozens of sub-requirements, things can get a bit tricky without the guidance of a master chef.
And as I’m sure most of you are familiar with the ingredients already, if you are here to understand how to conduct a Gap Analysis, it doesn’t hurt to review them again:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Preparing a Gap Analysis is just like going through a list of ingredients for a recipe – you review what you currently have on-hand and identify what is missing. While this exercise is usually conducted at the beginning of your PCI DSS compliance journey, it is by no means irrelevant to even those with the most sophisticated compliance programs. That is because it is often through the Gap Analysis exercise that many compensating controls are considered and implemented (more on that shortly).
Cooking With Gap Analysis
When conducting a Gap Analysis for PCI DSS compliance, the exercise should reveal a few key findings*:
- Where your compliance currently stands
- Areas in which you are currently deficient
- Which areas of deficiency are most critical and require immediate attention
*Depending on where you are in your compliance journey, you may have already conducted a “scoping exercise” – mapping all of the systems and people that touch the payment process in your organization to identify the extent of your Card Data Environment (CDE). If you haven’t, you will want to do this before beginning your Gap Analysis.
A Gap Analysis can be conducted by a separate service provider for a fee or you may undertake the exercise yourself. Many of those service providers have created a plethora of clever tools to document, chart and track gaps and improvements and finally maintain ongoing compliance. Some providers even provide free downloadable Gap Analysis tools.. There are plenty of ways to conduct this exercise yourself as well. One of the most common ways to conduct your Gap Analysis is by using the PCI Security Standards Council’s Self-Assessment Questionnaires (SAQ).
There are a number of SAQs available. To determine the one most appropriate for your organization, you must determine your merchant level, which corresponds to the total annual volume of payment card transactions your business takes, and how they are conducted (in-person or online).
Use the SAQ to understand the three key findings identified above and your organization’s general compliance position – and then get your plan in order to overcome any deficiencies and reduce the overall scope of your CDE to make future assessments (and your overall compliance program) more manageable. While your organization may have to complete an SAQ as part of your compliance reporting, taking a dry run on them is a great way to guide you in your Gap Analysis. It is a bit like practicing cooking a recipe a few times before you know you’ve got it just right.
A Method for Ongoing Compliance
Once conducted, a Gap Analysis exercise should illustrate your most critical areas of need. If you are unsure of how to prioritize the needs that are identified, you are in luck: the PCI Council has done it for you. The PCI Prioritized Approach “provides six security milestones that will help merchants and other organizations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance.”
With your Gap Analysis completed, you can now begin to use the Prioritized Approach process and tools (there is even a downloadable Prioritized Approach Milestone spreadsheet) to secure a few quick wins for your organization that will bring you closer to a smooth, persistent and ongoing state of PCI DSS compliance.
What value does a PCI DSS Gap Analysis have for the organization already well on their compliance journey, or to those already with years, or decades of Reports on Compliance (ROC) under their belts?
Many of the organizations with the most advanced ongoing compliance programs conduct a PCI DSS Gap Analysis at regular and consistent intervals throughout the year. In fact, you might say that it is a primary contributor to their exemplary compliance programs.
Believe it or not, not every new technology implementation, policy, change control and adjustment to processes are run by the Chief Compliance Officer before they are implemented. It is during these regularly conducted Gap Analysis exercises that these factors may be given their first interpretation through the PCI DSS compliance lens.
Dramatic deficiencies identified within these exercises may lead to modifications of policy, modifications to technology configurations and even the implementation of new compensating controls to ensure compliance within the new operating paradigm.
Conducting a PCI DSS Gap Analysis isn’t just a tool for beginners. It can play a vital role in your organization’s mature compliance program. When was the last time you undertook a Gap Analysis exercise? Maybe it’s time for you to get out the “recipe book” and get to cooking!