PCI gap assessment

A PCI gap assessment is the identification, analysis and documentation of areas of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS).

PCI gap assessment is the first step for a merchant seeking to become PCI DSS-compliant. Gap assessments help payment card industry (PCI) merchants prepare for on-site PCI assessments and can help to ensure they pass.

PCI gap assessments are performed by security consulting companies whose teams go on-site to inspect and assist the businesses with readiness for an onsite assessment by PCI themselves. They inspect the 12 areas of PCI DSS requirements which are:

1. An installed and maintained firewall.
2. Acceptable password use.
3. Protection of stored cardholder data.
4. Encrypted transmission of card holder data.
5. Installed and functioning up-to-date antivirus software.
6. Secure system and applications.
7. Cardholder data must be protected from all access except on a need-to-know basis.
8. All employees with computer access must have individual login IDs.
9. Physical access to cardholder data must be protected.
10. All access to network resources and card holder data must be tracked.
11. Security systems and processes must be regularly tested.
12. Security policies must be maintained.

Once the assessment is performed and issues remediated, the merchant should be ready to get a compliance assessment for PCI DSS. Merchants of all levels must then report their compliance status to their acquiring banks.