What is a PCI Readiness Assessment?Published June 25, 2020 • 2 min read
A Payment Card Industry Data Security Standard (PCI DSS) readiness assessment helps an organization to know whether it is ready for a full PCI DSS audit or self-assessment.
A PCI DSS readiness assessment, also known as a “gap analysis,” finds gaps in your organization’s PCI compliance and recommends the proper controls to put in place proactively, so you can better understand key areas of weakness and respond to rapidly evolving security compliance obligations. This understanding helps you develop a strategy and plan for achieving compliance throughout your organization.
A readiness assessment can smooth the way for a Qualified Security Assessor’s (QSA) audit of your systems, policies and procedures, controls, and other areas of your enterprise.
Who needs a PCI audit?
While entities who accept, transmit, store, or process credit cards are not mandated by law or regulation to adopt PCI standards, the major card brands do mandate its use via the banks and other organizations who process all credit card transactions. Failure to comply with the applicable standards can result in fines and possibly being unable to accept credit card transactions at all, along with the associated financial impact of such a ban. Therefore, PCI standards are a requirement for all merchants to follow without exception.
Merchants are classified into levels based on the number of transactions processed in a given year. An on-site PCI audit and resulting Report on Compliance (ROC) are required for Level 1 merchants—those that process more than 6 million transactions per year, depending on the cards accepted.
Level 2, Level 3, and Level 4 entities/merchants need only complete a self-assessment questionnaire (SAQ), but many Level 2 and Level 3 organizations elect to undergo the audit and obtain their ROC.
What a PCI readiness assessment entails
Intended to find holes in your PCI compliance program—deficiencies that could prevent your enterprise from attaining PCI DSS compliance—a readiness assessment may involve the following:
- Scanning of targets, ports, applications, and hosts for vulnerabilities
- Penetration testing
- Review of your policies and procedures
With on-site PCI DSS audits costing upwards of $70,000 depending on your environment, performing a readiness assessment can save your enterprise much time and money—by identifying and remediating gaps prior to the on-site audit.