PCI Gap Assessments are a vital resource that allows businesses to assess whether their procedures are aligned with the best industry cybersecurity practices and regulatory requirements such as the Payment Card Industry Data Security Standard (PCI-DSS). A PCI Gap Assessment provides the auditee with more visibility into the areas that need improvement by highlighting the targets that can potentially bring revenue-generating operations to a halt. This type of assessment helps the auditee visualize its current cybersecurity posture as it paves the way to a better cybersecurity strategy, remediate gaps in the environment, and get a closer to achieving the goals defined at the early steps of the assessment before proceeding to engage in a full PCI-DSS Report on Compliance (RoC).

The first step (and the most important) before proceeding to engage in any type of assessment or audit is to have a well-defined scope. This is where we take the time to analyze the target area we need to focus on and improve. It is also the perfect time to gather the necessary information, assign resources and roles and create a good strategy.

The second step helps to confirm the scope previously set on step one to accurately define what the assessment is trying to achieve and have a clear definition of the areas, services, and equipment that will be assessed. It is also a good time to define a realistic time frame for completion so that the entire team involved in the assessment can be on the same page and get the assessment in motion.

The third step will bring light to the current state of the targeted areas, in addition to defining the areas that will require improvement or change. It is also a good time to start thinking about a strategic approach to finding solutions for the areas that will need remediation. Determining a good plan of action is important at this phase. This way any gap findings during the assessment can be remediated or completely eliminated by providing different techniques or methods on the affected areas.

Finally, the fourth step is where we take action to remediate or resolve the gaps found during the course of the assessment, consider the cost of implementation for each solution and decide what will be implemented, eradicated or completely changed. After all this hard work it is good to remember to never neglect any of the findings, stay organized with your remediation process and make changes slowly as it can bring unnecessary stress to the project.


For more information, or if you are in need of assistance with a GAP assessment, please contact us at info@silentstormesecurity.com

Author: Ron A Abarca
Silent Storm Security | Founding Partner BSISM, CISA