Here are the 8 validation steps to identify the PCI gaps:
- Validate that centralized policies and procedures are in place.
This validation step involves reviewing policies, procedures, and processes are utilized to protect the cardholder data environment.
- Validate internal network segmentation (via firewalls or router/switch based ACLs) is in place
Conduct technical analysis of controls infrastructure that covers PCI applications and system components
- Validate that cardholder data is not stored in clear text
This validation step ensures that the cardholder data is encrypted or masked in the database
- Validate that formal key management processes are in place
This talks about how the encryption keys are changed and maintained. Are the keys changed annually? How and where are they stored? Who are the key holder(s)?
- Validate that logging is enabled
Are the logs enabled at the device, server, application, database levels? If not, why not?
- Validate that logs are stored in a centralized log management system
Are all the logs being shipped to a centralized log management system, e.g. QRadar, Splunk, etc? Who is monitoring it and how is it being monitored?
- Validate quarterly perimeter (via an ASV) and internal vulnerability scans are taking place
Are quarterly external scans being done and by an approved scanning vendor (ASV)? Are the findings being reviewed and addressed and re-scanned? Are the completed scan being verified and certified by the ASV?
Are the internal vulnerability scans being done on all in-scope systems and components?
Are the web application vulnerability scans being done as well on the website?
- Validate annual perimeter and internal (application- and network-based) penetration testing is taking place
Are internal and external pen tests being done on an annual basis?
Suggested Reading: 5 Processes for Validating PCI Compliance
Must Read: 10 Key Compliance Factors of PCI DSS
After you have identified the gaps, create a gap analysis matrix that identifies all non-compliant PCI DSS controls. Your QSA should provide high-level remediation guidance non-compliant controls.