It is often said that a gap analysis is the logical entry point into a Payment Card Industry – Data Security Standard (PCI-DSS) compliance project, but in reality this is very seldom the case.
Broadly speaking, businesses are designed with customers and profits in mind, and not to be PCI-DSS compliant. A gap analysis as an entry point into a PCI-DSS compliance project will inevitably reveal a vast array of non-compliance, and creating the undue impression that achieving PCI compliance will, in many cases, be beyond the business’s resources and capability to do so.
So if not a gap analysis as an entry point, then what?
Experience informs us that there are two very helpful steps that, when conducted before the gap analysis, will give a less concerning and more accurate indication of the time-frames, costs and resource implications that the business will need to commit on the journey toward compliance.
The PCI-DSS standard only applies to the subset of the business infrastructure that stores, transmits or processes cardholder data (CHD), as well as any parts of the infrastructure connected to any of the aforementioned systems. Conversely, any parts of the business infrastructure that do not store, or are not connected to a system described above are out of scope and as such the entry point to almost every PCI-DSS project should be an exercise in aggressive scope reduction.
Scanning for and identifying the location of CHD across the business and then asking the right questions and challenging assumptions at the process level will have the effect of significantly reducing the instance of systems that are required to store, transmit or process CHD to the smallest practical footprint. This will in turn will have the effect of decreasing the scope of the cardholder data environment (CDE), thus reducing the aforementioned time-frames, costs and resource implications of the compliance project.
Once the scope of the CDE has been reduced to the smallest practical footprint, the business can now sensibly consider how it wishes to achieve compliance – outsource vs in-source, prioritised approach vs point to point encryption (P2PE) etc. – and the pros and cons of each have to be evaluated. An options analysis should be conducted by an experienced and independent QSA at this point to put the business in a position to make a properly informed decision about how best to proceed, free of biased advice from hardware vendors looking to make a sale et al.
With the scope reduced and some key decisions under the belt, a Gap Analysis can now be performed to get the true (and drastically reduced) snapshot of what their PCI compliance journey will entail.