PCI DSS Gap Analysis

Redspin's PCI DSS Gap Analysis utilizes a risk-based approach to manually identify critical infrastructure vulnerabilities throughout your entire enterprise. This assessment focuses on six primary areas of your control environment:
Ensuring your network is secure
Ensuring your sensitive data is secure
Ensuring your systems are protected from malicious code
Ensuring access to cardholder data is restricted
Ensuring you know when there is an incident
Ensuring you have sufficient information to make risk management decisions

The goal of this assessment is to accurately and cost-effectively isolate areas of risk and provide actionable recommendations (both strategic and technical) for improvement.

This assessment sends expert security engineers into your environment to talk with key system owners to understand your business, leverage a risk-based approach to focus on the areas that are most critical to your operations, and validate that all implemented technical and non-technical controls are configured as expected.

Why perform a PCI DSS Gap Analysis?

  • We want to become compliant with the PCI Data Security Standard (PCI DSS).
  • We want a gap analysis between our current implemented controls and those defined by the PCI DSS.
  • We want to know how we are doing compared to similar institutions.
  • We want to know which high risk issues to focus on.
  • We want a fresh set of eyes on our systems.
Scope

The scope of our PCI DSS Gap Analysis is informed by a variety of sources:

  • Redspin Personnel's Experience — (covered in other sections) and Redspin's proprietary list of infrastructure vulnerabilities and control deficiencies collected during our work on hundreds on information security assessments over the last ten years.
  • Best Practices — Redspin uses our own independent research, professional exchanges, industry and other recognized standards including ISO 27001 and NIST federal guidelines to keep our scope in line with the latest IT security, availability, and operational analysis appropriate for an organization's size and business operations complexity and technology presence.
  • PCI — Payment Card Industry (PCI) Data Security Standard, v2.0, October 2010.
  • NIST — Risk Management Guide for Information Technology Systems (Special Publication 800-30), NIST (National Institute of Standards and Technology), October 2001.

Performing this assessment on a periodic basis will also help address specific PCI DSS regulatory requirements.

Some of the Questions a PCI DSS Gap Analysis Answers Include: Network Architecture —
Is our network secure?
  • Is network access restricted to and from the cardholder environment?
  • Are systems configured according to baseline standards?
Data Security —
Is our cardholder data secure?
  • Is cardholder information storage kept at a minimum?
  • If stored, is the Primary Account Number (PAN) rendered unreadable?
  • If encryption is used, how are encryption keys managed?
  • Is cardholder information sent over public networks adequately protected?
Vulnerability Management —
Are our systems protected from malicious code?
  • Are systems susceptible to viruses adequately protected?
  • Is a process in place to identify and protect systems against new vulnerabilities?
  • How are changes introduced to the system?
  • Do software development processes follow the secure software development lifecycle?
  • How are web applications protected from external threats?
Access Control —
Is access to the cardholder environment restricted?
  • Is user access to systems and network devices adequately restricted?
  • Are users accountable for their actions within the cardholder environment?
  • Is two-factor authentication required for remote access?
  • Are password policies effective?
  • Are strong auditing procedures in place in the case of a physical breach of security?
  • Are sufficient controls in place to limit unauthorized access to the physical network?
  • Is data backup containing cardholder information adequately protected?
Test and Monitor —
Do you know if your controls have failed?
  • Is sufficient logging in place to track who did what and when at the network, system, and application level for all cardholder data?
  • Is third-party testing adequately testing the right systems at the correct frequency?
  • Is the necessary monitoring in place for all critical networks and systems?
Information Security Program —
Can I manage my risk better?
  • Have processes been implemented to allow management the ability to govern the protection of cardholder data?
  • How effective are your information security policies in reducing risk to the cardholder data?
  • Has the necessary authority been assigned to a single individual for the information security program?
  • Do employees understand their role in the security lifecycle?
  • Are your service providers adequately protecting cardholder data?
  • Are you prepared to immediately respond to an incident?
Twitter Facebook