Governance, Risk Management and Compliance
|
Information Security
|
PCI DSS 
BLOGS

PCI DSS Gap Analysis

|
|
|
TRENDING
PUBLISHED on
04
August
2022
Table of contents
SUMMARY

Who is the Gap Analysis Aimed At?

URM’s PCI DSS gap analysis service is aimed at those organisations which are looking to benchmark their current corporate information security practices (relating to payment card data) against the Standard and understand their readiness for a c

The gap analysis is often the first step of a PCI DSS project and provides you with a roadmap for achieving compliance.

This service will typically involve one of URM’s QSAs spending time on your site or meeting remotely with those individuals responsible for:

  • The PCI DSS programme
  • Network administration and cardholder systems
  • Developing company policies and procedures

Focus of Gap Analysis

URM’s QSA will assess your organisation’s practices against the 12 high-level PCI DSS requirements as follows:

  1. Install and maintain network security controls
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data with strong cryptography during transmission over open, public networks
  5. Protect all systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system components and cardholder data by business ‘need to know’
  8. Identify users and authenticate access to system components
  9. Restrict physical access to cardholder data
  10. Log and monitor all access to system components and cardholder data
  11. Test security of systems and networks regularly
  12. Support information security with organisational policies and programs

Gap Analysis Outputs

The key output from our PCI DSS gap analysis service will be a report that includes:

  • A definition of your cardholder data environment (CDE) and in-scope business processes, applications, devices, networks, facilities and service providers
  • An assessment of how closely your organisation meets each of the PCI DSS requirements
  • Recommendations for reducing the scope of the CDE, where applicable, thus reducing the potential cost of compliance
  • Detailed recommendations for remediating any areas of non-compliance
  • Advice regarding your organisation's best options for achieving PCI DSS compliance quickly and cost-effectively, drawing upon our QSAs’ experience working with similar organisations.

Learn more
Learn more
Learn more

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Recent blogs
Understanding Defence Cyber Certification (DCC)
Cyber Security and the Board: The UK Cyber Resilience Pledge in Focus
Artificial Intelligence Frameworks and Regulations: ISO 42001, the NIST AI RMF and the EU AI Act
Certifying to ISO 27001: Key Tips for Success and Common Pitfalls to Avoid
ISO 27001 Clause 7.5: Documented Information Explained
How URM can help?
Consultancy
Planning for ISO 42001, the EU AI Act, or broader AI risk frameworks?

A short, free, non‑commitment call can help you clarify scope, understand regulatory expectations, and align your approach across standards such as ISO 42001 and NIST AI RMF. Early guidance often saves time and avoids fragmented compliance efforts.

Read more
Consultancy
Developing or reviewing your AI management framework?

Whether you are at an early planning stage or preparing for audit and assurance activities, we offer a free introductory call to help you assess risks, responsibilities, and the most proportionate route forward.

Read more
Consultancy
Unsure how to approach SOC 2 or where to focus first?

You do not need a fully defined programme to start the conversation. We offer a free, no‑obligation call to help you understand SOC 2 requirements, assess your current position, and identify practical next steps.

Read more
We will ensure you never become a ‘slave to the Standard’ and your ISMS is something which can easily be maintained and improved.
Find out more
related BLog posts
Thumbnail of the Blog Illustration
Information Security
Published on
5/8/2022
Can I Store Cardholder Data?

In this article, we aim to clarify what requirements the Payment Card Industry Data Security Standard (PCI DSS) places around....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
23/3/2026
Continuous Compliance With the PCI DSS

URM’s blog outlines how continuous compliance fits into PCI DSS, and explores practical ways to integrate requirements into business-as-usual (BAU) operations.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
15/2/2023
PCI DSS v4.0 and Multi-Factor Authentication

After the recent changes to PCI DSS v4.0 we're examining factors behind the greater utilisation of MFA, and what the key changes are in requirements.

Read more
"
Leanr more about
URM Services
It’s one thing having the required technical knowledge, it’s another thing for a consultant to apply that knowledge to the context of our organisation. To use a sporting analogy, we view cyber and information security as a marathon not a sprint. I am not a believer in doing everything all at once. Our approach has been risk based and incremental, remediating our biggest risks first before moving on. I believe this approach is far more sustainable and effective. And URM’s consultants fully understand this and are very pragmatic and tailored in their guidance and advice. They know we are not implementing ISO 27001 purely for the certificate, but more as a framework for continual improvement, and at a pace where new systems and processes can be fully understood and absorbed by our team and be business as usual.
Stephen Cann / Bollin Group
The Owners and Distributors of Quality Brands
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.