PCI-DSS GAP ANALYSIS
The Payment Card Industry Data Security Standard (PCI DSS) was developed by the founding payment brands of the PCI Security Standards Council (SSC), including MasterCard Worldwide, Visa International, American Express, Discover Financial Services and JCB. The PCI DSS Standard is mandated by the card brands and administered by the Council. The Standard was created to increase controls around cardholder data to facilitate consistent, effective and reliable data security measures, as well as greater accountability across organisations, in order to reduce levels of fraud.
The PCI DSS applies to all organisations that process, store or transmit cardholder data or those that can affect the security of cardholder data as it is processed, stored or transmitted. The Standard also applies to organisations that have totally outsourced payment card handling, as they are still responsible for ensuring their third parties are PCI DSS compliant. Such organisations need to monitor third party compliance annually, as part of their supplier due diligence activities, in order to ensure cardholder data is fully protected.
HOW IT WORKS
Amandata XecurePASS PCI DSS gap analysis service is aimed at those organisations which are looking to benchmark their current corporate information security practices (relating to payment card data) against the Standard and understand their readiness for a compliance assessment.
The gap analysis is often the first step of a PCI DSS project and provides you with a road-map for achieving compliance. This service will typically involve one of Amandata QSAs spending time on your site meeting with those individuals responsible for:
- The PCI DSS programme
- Network administration and cardholder systems
- Developing company policies and procedures.
Focus of Gap Analysis
Amandata QSA will assess your organisation’s practices against the 12 high level PCI DSS requirements as follows:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
GAP Analysis Report: Summary of the GAP Analysis , as well as as recommendation of the finding to meet PCI DSS. The key output from our PCI DSS gap analysis service will be a report that includes:
- A definition of your cardholder data environment (CDE) and in-scope business processes, applications, devices, networks, facilities and service providers
- An assessment of how closely your organisation meets each of the PCI DSS requirements
- Recommendations for reducing the scope of the CDE, where applicable, thus reducing the potential cost of compliance
- Detailed recommendations for remediating any areas of non-compliance
- Advice regarding your organisation's best options for achieving PCI DSS compliance quickly and cost-effectively, drawing upon our QSAs’ experience working with similar organisations.