Note: This blog post orginally appeared on the SecureState blog.
In information security, various regulations require a periodic risk assessment. The Payment Card Industry (PCI) Data Security Standard (DSS) is no exception. For PCI-DSS, the risk assessment process is designed to identify, analyze, and document risks to credit card data. The assessment is the integral component of the risk management strategy, and therefore should be used to manage threats and vulnerabilities, and document control effectiveness.
PCI-DSS Requirement 12.1.2 requires a “formal risk assessment” to be performed. However, what this means remained a topic of debate both among practitioners and those procuring their services. Auditors and their clients often grapple with compliance issues as they interpret the “gray” areas associated with compliance frameworks. In 2012 the PCI Security Council formed a Special Interest Group (SIG) to remove some ambiguity when executing risk assessments to meet PCI-DSS requirements. The output from the SIG was the Information Supplement: PCI DSS Risk Assessment Guidelines V1 document.
Industry adoption of the guidance provides consistency and helps manage merchant expectations, but more importantly should entice entities who store, process, or transmit cardholder data (CHD) to evaluate their processes and reduce their risk posture consistently. This manifests itself in benefits for the brands (e.g., VISA, MC, AmEx), the merchants, and ultimately their customers.
Before we dive into the guidance provided in the Information Supplement, it is important to note that the SIG made it clear the risk assessment is used to determine what additional controls are needed to protect CHD and cannot be used to avoid or bypass any PCI DSS requirements.
The Information Supplement lists a variety of risk frameworks (OCTAVE, ISO 27005, NIST SP 800-30) but does not require a specific framework to be used. Any risk framework can be used that meets the guidelines outlined in the document. Below is a summary of what is minimally required for a risk assessment to be PCI-DSS compliant. There are other items that should be included in a risk assessment, but today we are just looking at the minimum requirements outlined in the SIG document.
- Methodology must be defined and follow a documented process
- Must be performed annually
- Must cover any people, processes or technology which could impact the security of the Cardholder Data Environment (CDE). This is not simply limited to the CDE and must include any people, processes or technologies which are involved in the storage, processing or transmission of CHD. This includes people, processes or technology not directly involved with the processing of CHD that could impact the security of the CDE.
- Asset inventory (people, processes or technology) that covers all payment channels and includes any asset that directly or indirectly impacts the processing, storage, transmission or protection of CHD or the security of the CDE.
- Must identify threats, vulnerabilities and controls that could impact the security of the card holder data
- Can be quantitative, qualitative or a mix of both
- Must include risks posed by outsourcing to third parties
- Identify and score threats (capabilities, impacts, likelihood, etc.)
- Identify organizational and technical vulnerabilities
- Identify controls and the effectiveness of the controls
- Output of the risk assessment provides a prioritized risk mitigation plan
If your organization needs to be PCI-DSS compliant, it is critical that the risk assessment methodology used meets these requirements.
Contact SecureState if you need help performing a risk assessment or are if you are unsure if your current risk assessment process meets PCI-DSS requirement.
You are also invited to attend an exclusive Web Seminar on Tuesday, March 26th at Noon (ET) featuring a discussion of the new PCI-DSS requirements. CLICK HERE to visit the registration page.