Please note: This sample shows only a small section of the complete Gap Assessment tool.
PCI DSS Gap Assessment Tool PCI-DSS-FORM-00-3
PCI DSS: Requirements AREA/SECTION
SUB-SECTION
PCI DSS REQUIREMENTS
REQS MET? ACTION NEEDED TO MEET REQ
1 Install and maintain a firewall configuration to protect cardholder data 1.1 Implement Firewall
Have firewall and router configuration standards and other documentation been completed? Is there a formal process for testing and approval of all network connections and firewall and router configurations? Is there an up to date network diagram? Is there an up to date cardholder data flow diagram? Is a valid DMZ in place? Are groups, roles, and responsibilities for management of network components defined? Is business justification for the use of services, ports and protocols documented? Is there evidence that the firewall and router rule sets are reviewed at least every 6 months? Have firewall and router configuration standards been verified to confirm that all inbound and outbound traffic is necessary for the card holder data environment?
Yes
Do the applicable firewalls and routers limit inbound and outbound traffic to that necessary for the cardholder data environment? 1.2.2 Router configuration Are router configurations secured from unauthorized access? 1.2.3 Firewall between CDE and wireless Are perimeter firewalls installed between network all wireless networks and the cardholder data environment? Are firewall and router configurations defined —including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment?
Yes
1.3.1 DMZ
Yes
1.1.1 Firewall testing
1.1.2 Network diagram 1.1.3 Cardholder data flow diagram 1.1.4 DMZ 1.1.5 Network roles and responsibilities
1.1.6 Business justification for services, ports and protocols open 1.1.7 Firewall and Router review
1.2 Protect Cardholder Data Environment
1.1.2 Restrict traffic
1.3 Access between internet and CDE
Is the DMZ implemented to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
Yes
Yes Yes Yes Yes
Yes
Yes
Yes
Yes Yes
Yes
ACTION OWNER
PCI DSS Gap Assessment dashboard To refresh chart data, click on “Refresh All” on the Data ribbon.
Gap assessment results AREA OF STANDARD
REQS IN SECTION NO OF REQS MET PERCENTAGE CONFORMANT
1 Install and maintain a firewall configuration to protect cardholder data 2 Do not use vendor-supplied defaults for system passwords and other security parameters 3 Protect stored cardholder data 4 Encrypt transmission of cardholder data across open, public networks 5 Protect all systems against malware and regularly update anti-virus software or programs 6 Develop and maintain secure systems and applications 7 Restrict access to cardholder data by business need to know 8 Identify and authenticate access to system components 9 Restrict physical access to cardholder data 10 Regularly Monitor and Test Networks 11 Regularly test security systems and processes 12 Maintain a policy that addresses information security for all personnel Total
22 11 23 4 6 25 10 25 27 17 17 24 211
22 11 23 4 6 25 10 25 27 17 17 24 211
Percentage level of compliance to the PCI DSS radar chart
100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100% 100%
1 Install and maintain a firewall configuration to protect cardholder… 100% 2 Do not use vendor-supplied 90% defaults for system passwords and… 80%
12 Maintain a policy that addresses information security for all personnel
70% 60% 50% 40% 30% 20% 10% 0%
11 Regularly test security systems and processes
10 Regularly Monitor and Test Networks
3 Protect stored cardholder data
4 Encrypt transmission of cardholder data across open, public networks
9 Restrict physical access to cardholder data
Level of compliance to the PCI DSS
5 Protect all systems against malware and regularly update anti-virus…
8 Identify and authenticate access to system components NO OF REQS MET
6 Develop and maintain secure systems and applications
7 Restrict access to cardholder data by business need to know
REQS IN SECTION 22 22
1 Install and maintain a firewall configuration to protect cardholder data 11 11
2 Do not use vendor-supplied defaults for system passwords and other security parameters
Percentage level of compliance to the PCI DSS 23 23
3 Protect stored cardholder data 4 4
4 Encrypt transmission of cardholder data across open, public networks
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
6 6
5 Protect all systems against malware and regularly update anti-virus software or programs
25 25
6 Develop and maintain secure systems and applications 10 10
7 Restrict access to cardholder data by business need to know
25 25
8 Identify and authenticate access to system components
27 27
9 Restrict physical access to cardholder data 19 19
10 Regularly Monitor and Test Networks 17 17
11 Regularly test security systems and processes
24 24
12 Maintain a policy that addresses information security for all personnel 0
5
10
15
20
25
30
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%
100%