PCI DSS Gap Analysis: Find Every Gap Before Your Auditor Does
Our gap analysis maps your current technical controls, policies, and procedures against every applicable PCI DSS v4.0 requirement. Every finding is risk-rated and linked to a concrete remediation action — so your team knows exactly what to fix and in what order.
What We Analyse
Six control domains. Every applicable PCI DSS v4.0 requirement. No gaps missed.
Technical Controls
Firewall rules, encryption, access control configurations, patch levels, and vulnerability scan results measured against PCI DSS requirements.
Policies & Procedures
Existence, completeness, and recency of all required information security policies, acceptable use policies, and change management procedures.
Access & Identity
User access provisioning, MFA deployment, password policy enforcement, shared account elimination, and privileged access review.
Logging & Monitoring
Log coverage across all in-scope systems, log retention periods, daily review procedures, and SIEM alerting configurations.
Vulnerability Programme
Penetration test recency, internal and external scan cadence, patch management SLAs, and finding remediation timelines.
Network Architecture
Segmentation effectiveness, DMZ design, wireless security, and data flow documentation reviewed against Requirements 1 and 2.
How the Gap Analysis Works
Scope Confirmation
We confirm the boundary of your cardholder data environment and the applicable SAQ type or ROC scope before analysis begins.
Evidence Collection
Structured evidence requests covering configurations, policies, access logs, scan reports, and penetration test results for all in-scope systems.
Control Mapping
Each piece of evidence is mapped against the specific PCI DSS requirement it satisfies. Missing evidence is flagged as a gap.
Risk Rating & Prioritisation
Each gap is rated Critical, High, Medium, or Low based on PCI DSS requirement severity, exploitability, and available compensating controls.
Remediation Roadmap Delivery
A phased remediation plan with specific tasks, owners, effort estimates, and target completion dates — formatted for immediate use by your engineering and compliance teams.
What You Receive
Gap Register
Every identified gap mapped to its PCI DSS requirement number, risk-rated, and linked to a remediation action.
Risk-Rated Findings Report
Executive and technical summaries with gap counts by severity — suitable for board reporting and QSA submission.
Remediation Roadmap
A phased task list with effort estimates and suggested owners, ordered by risk priority.
Evidence Map
A visual matrix showing which PCI DSS requirements are fully evidenced, partially evidenced, or unaddressed.
Compensating Control Guidance
Where appropriate, we identify compensating controls that can satisfy a requirement while permanent fixes are implemented.
Frequently Asked Questions
Stop Guessing. Start Fixing.
A PCI gap analysis tells you exactly which controls are missing and what it costs to close them.