Once the scope of the assessment is determined, our next stop on the PCI roadmap is the gap analysis process.
Identify gaps between where we stand and where we want (or need) to be in terms of compliance. This process provides a foundation for measuring the investment of time, money and human resources that's required to achieve a particular outcome; in this case, PCI compliance.
Who should perform a gap analysis?
Though there is no obligation from the council to perform such an analysis, I would recommend that all entities subjected to compliance perform this exercise regardless of their level or type. For those subjected to on-site audits it will efficiently prepare you for the QSA visit. For others, it will sustain the self-assessment process. In both cases, it could be driven either internally or through the expert eyes of external parties.
How long does it take to perform such analysis?
Don't underestimate it! A gap analysis process could last between a few days to several months, depending upon the scope, the level of control of the environment - meaning the internal business and technical knowledge and expertise - and finally the level of understanding of PCI DSS. I would also add the openness mind and attitude of the participants.
A gap analysis process should encompass the following actions:
- Identify the DSS requirements pertaining to the entities (see merchant “types”).
- Identify the actors: individuals sharing business or technical expertise of the environment and who should take part to the exercise.
- Determine compliance status: discuss the compliance status of each component in scope against relevant requirements through brainstorming sessions and interviews with the actors.
- Document the rationale for compliance; don't limit yourself to a “Yes”, justify in detail why, in your opinion, you meet compliance. Attach proofs of compliance. Describe compensating controls.
- Identify ambiguous areas to be further investigated with the assistance of the community or experts.
- Identify areas of non-compliance and develop remediation plans.
- Prioritize the gaps and define a timeline for achieving compliance and assign ownership.
I generally see the outcome of a gap analysis as a “compliance dashboard” providing us with a global view on:
- Areas of compliance and associated proofs.
- Areas of non-compliance associated to remediation plans, timeline and ownership.
Tool – Compliance Dashboard
Please feel free to use this “compliance dashboard” spreadsheet to sustain your gap analysis exercise. It encompasses:
- A table of content and navigation links (NEW)
- Add "Scope" sheet allowing you to define the Card Data Environment (CDE) (NEW)
- An Executive summary showing your progress on your PCI compliance journey based on the selected merchant type (UPDATED)
- Add two buttons within the Executive Summary Sheet allowing you to hide/unhide non applicable requirements associated to the selected Merchant Type.(NEW)
- Graphes (Compliance % and Severity Level per requirements (UPDATED)
- All PCI DSS requirements grouped by section
- Guidance associated to each requirements
- The major observation points from the 2011 Verizon PCI Compliance report for each requirement
- The PCI Glossary
- The participants list (NEW Renamed to "PCI Team")
- The list of merchant types
- The compensating controls documentation sheet
- The Validation Instructions for QSA/ISA for each requirement
- Indication of "relevance" by merchant types (A, B, C, C-VT, D). "1" indicates that the requirement is relevant.
- Priority level or milestones from the “prioritized approach” (1-6)
- A column "In Place" (Yes/No/Compensating control Present)
- A column severity equals to the PCIco priority level for not in place requirements (NEW)
- A column "Stage of implementation (if not in place)"
- A column "Estimated date for completion"
- A column "Proofs/Documentation/Comment"
- A column "Remediation plan" (what must be done)
- A Column "Owner" (The individualor department in charge) (NEW: association with the PCI Team)
- A Column "SANS Top 20 Critical Security Controls" matching subcontrols for each PCI requirement wherever possible. (NEW)
- A Sheet " SANS-PCI" Listing all SANS Top 20 Critical Security Controls and Sub-controls together with PCI requirements partially or fully matching the sub-controls. Also % of match for each SANS Controls. (NEW)
- Links to the PCI 30 seconds newsletters (UPDATED)
Questions for the community
- If you have already performed a gap analysis exercise, what impediments did you overcome?
- Being a customer or a vendor, what would be your unique recommendation?
- How would you describe the gap analysis process in one word?