PCI DSS Gap-Analysis

A Gap Analysis is one of your most helpful tools for preparing for your PCI DSS certification. In a Gap Analysis, we check the compliance with relevant  security requirements in advance of your actual audit. This gives you the opportunity to identify existing deviations from the standard early on and correct them before the official PCI DSS certification - even in the case of any major deviations.

 

The PCI DSS also requires you to maintain your compliance throughout the year. If you make a significant change to your environment between audits, for example, a Gap Analysis can be extremely helpful to maintain compliance with the standard throughout the year.

Difference between Gap Analysis and PCI DSS certification

A Gap Analysis is not subject to any official PCI SSC requirements and can therefore be flexibly tailored to your needs. The assessment depth is usually not as deep as in an actual PCI DSS Assessment and serves as preparation for the certification. No official verification documents (AoC & RoC) are issued.

We recommend you conduct a PCI DSS Gap Analysis

before your initial PCI DSS certification with an already known PCI DSS scope
after significant changes to your certified PCI DSS environment
to helpt with your transition from PCI DSS v3.2.1 to v4.0

Version change to PCI DSS v4.0

PCI DSS v4.0 is the most comprehensive update of the security standard to date: The new version will replace previous version 3.2.1 as of April 1, 2024. However, you will have more time to implement some of the new requirements: the "future-dated requirements" will not become mandatory until April 1, 2025.

Use this transitional period to have a Gap Analysis performed and learn whether you are already compliant with the new requirements or how much effort will be required to implement them.

We recommend that you integrate the Gap Analysis into your next PCI DSS audit. This way you save time and other valuable resources. Of course, we are also happy to conduct the Gap Analysis separately.

Our approach

PCI Zertifizierungsprozess Kick-off

Kick-off / Preparation

Together we will define the scope and level of detail of your Gap Analysis. Since there are no official specifications regarding the scope and assessment depth, in contrast to your actual PCI DSS assessment, we can tailor the Gap Analysis exactly to your needs. We will be happy to give you recommendations and advise you on classic "pitfalls" you might encounter during your official assessment.

PCI Zertifizierungsprozess Vorbereitung

Implementation

Fit for the assessment. Within the PCI DSS Gap Analysis, we review all IT systems, documentation and processes we have determined together with you in advance with regard to their compliance with PCI DSS. Deviations are documented in a catalog of corrective measures and discussed with you.

The validation of PCI DSS requirements is performed according to individual agreement. We mainly rely on interviews, document reviews, examination of relevant IT systems and applications, and, if required, on physical security inspections.

Our auditors perform the PCI DSS Gap Analysis in person on your premises, remotely or in a hybrid model, whichever you prefer. All details and specifics will be discussed with you in advance.

PCI Zertifizierungsprozess Siegel & Zertifikat

Final Report

We will document all deviations from the PCI DSSour auditors might have found in a detailed catalog of corrective measures. No official verification documents (AoC & RoC) will be issued.

After completion of the Gap Analysis, we will be happy to advise you on correcting the findings.

Contact

 

Please contact us with any questions or queries.

Phone: +49 6102 8631-190
Email: sales@usd.de
PGP Key
S/MIME
Contact Form

 

Benedikt Krümmel
usd Technical Sales Consultant,
PCI Professional