Quick Answer: A PCI DSS gap assessment compares your current security controls against all applicable PCI DSS v4.0 requirements and produces a gap register with risk ratings and remediation roadmap. eShield IT provides fixed-price gap assessments from AED 8,000 (UAE) or ₹1,80,000 (India) covering all 12 PCI DSS requirements including the 64 new mandatory v4.0 controls. Delivery takes 2–5 weeks. Required by RBI for Indian payment aggregators and strongly recommended before any QSA formal audit.
Quick answer: A PCI DSS gap assessment is a structured review that compares your current security controls, processes, and documentation against all applicable PCI DSS v4.0 requirements. It produces a gap register identifying exactly what is missing, the risk level of each gap, and a prioritised remediation plan with effort estimates. A gap assessment is the essential first step before engaging a QSA — finding and fixing gaps yourself is significantly cheaper than having a QSA find them during a formal audit.
What Is a PCI DSS Gap Assessment?
A PCI DSS gap assessment (also called a PCI gap analysis) systematically evaluates your organisation’s current state against every applicable requirement in PCI DSS v4.0. The assessment covers all six control objectives and 12 main requirements, including the 64 sub-requirements that became mandatory on April 1, 2025 under v4.0.
The output is a gap register — a structured document that lists every requirement your organisation does not currently meet, categorises the gap by risk level (high, medium, low), and prescribes specific remediation actions with estimated effort and cost. A good gap assessment also includes scoping analysis to determine whether your CDE can be reduced in size, and SAQ guidance to identify the correct self-assessment questionnaire for your environment.
Gap Assessment vs. QSA Audit: Why the Order Matters
The difference in cost between fixing gaps before a QSA audit and fixing them during or after is significant. A gap assessment costing AED 8,000–18,000 can prevent remediation delays that extend a QSA engagement by weeks — at QSA billing rates of AED 1,500–3,500 per day. More importantly, gaps found by your QSA become formal audit observations that affect your Report on Compliance — gaps found in your own assessment are just internal findings.
| Gap Assessment First | QSA Audit Without Prior Gap Assessment | |
|---|---|---|
| Gap discovery cost | AED 8,000–18,000 (fixed) | Built into QSA hourly billing — unpredictable |
| Remediation time | Planned and budgeted before audit starts | Discovered mid-audit, causes delays and re-scoping |
| Audit outcome | RoC/SAQ submitted with no surprises | RoC may have observations; re-assessment fees apply |
| Budget predictability | High — gaps are priced before audit begins | Low — remediation scope unknown at audit start |
| Time to compliance | Typically 20–30% faster overall | Delays common when gaps are found during QSA audit |
What Our PCI DSS Gap Assessment Covers
eShield IT’s PCI DSS gap assessment covers all 12 PCI DSS v4.0 requirements across six control objectives, with specific attention to the 64 requirements that became mandatory in April 2025:
- Req 1 & 2 — Network security and secure configuration: Firewall rules, network segmentation effectiveness, default credential removal, hardening standards across all CDE systems
- Req 3 & 4 — Cardholder data protection: Data discovery exercise, encryption at rest and in transit, key management practices, tokenisation assessment
- Req 5 & 6 — Vulnerability management and secure software: Anti-malware coverage, patch management cadence, SDLC security controls, web application firewall assessment
- Req 7 & 8 — Access control: Role-based access review, MFA coverage (now mandatory for all CDE access under v4.0), privileged access management, user lifecycle
- Req 9 — Physical security: Physical access controls to CDE systems, media handling, visitor management, device inventory
- Req 10 — Logging and monitoring: Audit log coverage, log retention, automated alerting on security events (new v4.0 automation requirement)
- Req 11 — Security testing: ASV scan status, penetration testing cadence and methodology, internal vulnerability scanning frequency
- Req 12 — Security policy and programme: Information security policy, risk assessment process, incident response plan, vendor management, security awareness training
PCI DSS v4.0 Gap Assessment: The 64 New Mandatory Requirements
As of April 1, 2025, all 64 PCI DSS v4.0 requirements previously designated as “future-dated best practices” are now fully mandatory. Our gap assessment specifically tests for these requirements, which are the most frequently missed in post-transition assessments. The most commonly failed new requirements include:
- 6.4.3 — All payment page scripts must be inventoried, authorised, and integrity-checked
- 11.6.1 — Automated mechanisms must detect unauthorised modifications to HTTP headers and script content on payment pages
- 8.4.2 — MFA required for ALL access into the CDE, including from internal networks
- 10.7.2 / 10.7.3 — Automated detection of failures of critical security controls with personnel notification
- 12.3.2 — Targeted risk analysis required for each “customised approach” or “compensating control”
- 12.9.2 — All third-party service providers must annually acknowledge their PCI DSS responsibilities in writing
PCI DSS Gap Assessment Process: What to Expect
Our gap assessment follows a structured five-phase process completed in 3–5 weeks for most environments:
| Phase | Duration | What Happens | Your Involvement |
|---|---|---|---|
| 1. Kick-off & scoping | 2–3 days | Define CDE boundaries, identify all in-scope systems, map cardholder data flows, determine merchant level and applicable SAQ | Technical lead + IT architect (4–6 hours) |
| 2. Documentation review | 1 week | Review existing security policies, network diagrams, system configurations, vendor agreements, and prior assessment evidence | Submit existing documents; 1–2 hours of Q&A |
| 3. Technical interviews | 1 week | Structured interviews with IT, operations, and management stakeholders covering all 12 PCI DSS requirement areas | 2–3 stakeholders, 2–3 hours each |
| 4. Technical testing | 3–5 days | Validate network segmentation, review system configurations, check log settings, verify encryption implementations | Provide remote/VPN access to CDE systems |
| 5. Report & debrief | 3–5 days | Draft gap register, risk rating, remediation roadmap; present findings in a structured debrief session with your team | 2-hour debrief session |
PCI DSS Gap Assessment Cost — UAE & India 2026
Gap assessment pricing is primarily driven by environment size (number of in-scope systems and IP addresses), merchant level, and how well-documented the current environment is. Organisations with existing ISO 27001 controls or prior PCI DSS assessments require significantly less effort.
| Environment Profile | UAE (AED) | India (INR) | Typical Duration |
|---|---|---|---|
| Small merchant / SAQ A-EP or C (up to 10 CDE systems) | AED 8,000–12,000 | ₹1,80,000–₹2,75,000 | 2–3 weeks |
| Mid-size merchant / SAQ D (10–50 CDE systems) | AED 12,000–18,000 | ₹2,75,000–₹4,00,000 | 3–5 weeks |
| Service provider / Level 1 merchant (50+ CDE systems) | AED 18,000–35,000 | ₹4,00,000–₹8,00,000 | 4–8 weeks |
| Combined ISO 27001 + PCI DSS gap (dual-framework) | AED 22,000–45,000 | ₹5,00,000–₹10,00,000 | 6–10 weeks |
All prices are fixed — no hourly billing. The gap assessment deliverable includes the written gap register, risk ratings, remediation roadmap, SAQ selection guidance, and a debrief session. We also offer a Combined Gap Assessment + Remediation Support package that includes our consultants working alongside your team to close identified gaps before the QSA engagement.
PCI DSS Gap Assessment for India: RBI & Acquirer Requirements
For Indian organisations, PCI DSS gap assessments serve both compliance and regulatory purposes. The RBI Payment Aggregator Guidelines (March 2020) require all RBI-licensed payment aggregators to undergo a formal PCI DSS gap assessment and achieve compliance within the timelines specified by RBI. For e-commerce merchants, Visa and Mastercard India acquirer mandates require SAQ completion — and a gap assessment is the most efficient path to an accurate SAQ submission.
eShield IT conducts PCI DSS gap assessments for Indian clients remotely, with all interviews, documentation reviews, and technical testing conducted online. Deliverables are provided in formats accepted by Indian acquiring banks and the RBI for regulatory submissions. Our India gap assessment pricing is available in INR with local invoicing.
Get a Fixed-Price PCI DSS Gap Assessment Proposal
Tell us your merchant level, approximate number of CDE systems, and your timeline. We will send a scoped, fixed-price proposal within one business day. UAE, GCC, India, and APAC — all regions served.
