PCI DSS Gap Analysis

Our Payment Card Industry Data Security Standard (PCI DSS) Gap Analysis provides a detailed review of your current PCI DSS compliance and produces a roadmap, which can be implemented to achieve full compliance with the standard.


Assess your current PCI DSS compliance

Our PCI DSS Gap Analysis reviews an organisation’s cardholder data environment (CDE) against the latest version of the Standard. In-scope systems and networks are reviewed and a detailed report compiled, showing areas that need attention.

By contracting our PCI DSS Gap Analysis service, we can help your organisation pass the annual audit, or build a CDE and infrastructure that meet the requirements of the Standard.

Why is a PCI DSS gap analysis so important?

Based on our experience, very few clients maintain full compliance with the PCI DSS v3.2 requirements. Findings from Verizon’s 2017 Payment Security Report support this view. After studying 11 years of forensic breach investigations, Verizon found that not a single company was PCI DSS compliant at the time of a breach. 89% of breached companies were never compliant, and 11% were PCI DSS compliant at one point, but not at the time of the breach.

As organisations evolve, business and customer demand require changes to technology and processes. These changes can affect an organisation’s PCI DSS status. Although PCI DSS compliance is increasing, more than 40% of global organisations – large and small – are still not meeting PCI DSS compliance requirements. Of those that pass validation, nearly half fall out of compliance within a year.*


  • of organisations that suffered a breach were not compliant with the Standard.


  • of organisations achieved PCI DSS compliance at the interim assessment.


  • is the average percentage of controls not in place for companies failing their interim assessment.

* Verizon 2017 Payment Security Report


The value of completing a PCI DSS gap analysis

A PCI DSS gap analysis is usually the first step clients take to understand their compliance status. It provides a detailed comparison of what their business is currently doing against what it should be doing to be compliant with the PCI DSS. The analysis reviews the business’ current security controls to protect cardholder data against the specific controls required by the PCI DSS. It identifies the ‘gap’ that needs to be addressed.

By completing a gap analysis, you can:

  • Create a snapshot of PCI DSS compliance;
  • Identify areas requiring immediate attention, and cost-effective remediation, in prioritised terms;
  • Improve cost forecasting and budget justification for a PCI DSS compliance programme; and
  • Gain an awareness of your company’s ability to comply with any new release of the Standard, such as PCI DSS v3.2.


What can you expect from our PCI DSS Gap Analysis?

A Qualified Security Assessor (QSA) will map critical information processes and technical infrastructure. By assessing your current state of compliance, we can outline the most cost-effective approach to meeting the PCI DSS obligations.


Our approach

We will analyse current data protection efforts against the PCI DSS v3.2. We will provide a management report outlining the findings of the gap analysis, along with a strategic roadmap, containing a description of the changes necessary to comply with the PCI DSS.


What will my service cover?

  • Our QSA will meet with key members of your staff to gain an understanding of the CDE and explain security requirements necessary to comply with the PCI DSS.
  • We will perform a scoping exercise by critically evaluating the CDE and connected system components to determine the necessary coverage for the PCI DSS requirements.
  • We will evaluate all areas in scope for the PCI DSS to determine compliance status.

Get in contact

We have a team of account managers and security consultants to discuss your PCI DSS challenges. For more information, please contact us.


Speak to an expert

Please contact us for further information or to speak to an expert.

Contact us