A PCI gap assessment is the identification, analysis and documentation of areas of non-compliance with the Payment Card Industry Data Security Standard (PCI DSS).
PCI gap assessment is the first step for a merchant seeking to become PCI DSS-compliant. Gap assessments help payment card industry (PCI) merchants prepare for on-site PCI assessments and can help to ensure they pass.
PCI gap assessments are performed by security consulting companies whose teams go on-site to inspect and assist the businesses with readiness for an onsite assessment by PCI themselves. They inspect the 12 areas of PCI DSS requirements which are:
- An installed and maintained firewall.
- Acceptable password use.
- Protection of stored cardholder data.
- Encrypted transmission of card holder data.
- Installed and functioning up-to-date antivirus software.
- Secure system and applications.
- Cardholder data must be protected from all access except on a need-to-know basis.
- All employees with computer access must have individual login IDs.
- Physical access to cardholder data must be protected.
- All access to network resources and card holder data must be tracked.
- Security systems and processes must be regularly tested.
- Security policies must be maintained.
Once the assessment is performed and issues remediated, the merchant should be ready to get a compliance assessment for PCI DSS. Merchants of all levels must then report their compliance status to their acquiring banks.