Contact us
PCI-GO
  • Dashboards
  • PCI eBook
  • Library
  • Blog

PCI DSS 4.0 - Targeted risk assessments, what is it about?

2/17/2023

0 Comments

 
Risk assessment was already part of the genesis of PCI DSS up to 3.2.1. Requirement 12.2 of PCI DSS 3.2.1 states: Implement a risk-assessment process that:
-Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
-Identifies critical assets, threats, and vulnerabilities, and
-Results in a formal, documented analysis of risk.

This enterprise-wide risk assessment is subjected to two key validation check by QSA: 
  • Verify that an annual risk assessment process is documented and identifies threats, vulnerabilities, and results in a formal, documented analysis of risk
  • Review risk-assessment documentation to verify that the risk-assessment process is performed at least annually and upon significant changes to the environment.

​PCI DSS 4.0 removes the mandatory character on the execution of  enterprise-wide risk assessments. Entities are however encouraged to continue  execution such assessment as part of an overarching risk management program that is used as an input to the annual review of an organization's overall information security policy and to enable entities to determine and understand broader and emerging threats with the potential to negatively impact its business.  

Targeted Risk Assessments

Picture
​PCI DSS 4.0 introduces and enforces execution of Targeted Risk Assessments (TRA's) focused on a narrow scope, often a control. 
Target Risk Assessments are required for:

How frequently is frequently ? 
About 11 PCI DSS requirements provide organizations with flexibility to choose the frequently a given control is executed. 
The determination of the frequency must be supported by a targeted risk analysis taking int account: the sensitivity of the assets in scope of the given control, the threat(s) that the given control is protecting the assets from, the factors that could contribute to likelihood or impact and the the level of risk the entity is willing to accept.

PCI DSS 4.0 - 12.3.1 Each PCI DSS requirement that provides flexibility for how frequently it is performed must be supported by a targeted risk analysis that is documented and includes:
• Identification of the assets being protected by the requirements
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors (vulnerabilities) that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.


Do you use a customized approach? 
Documented target risk assessments are also required wherever a customized approach is followed to meet the control objectives. 

PCI DSS 4.0 - 12.3.2 A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach.

PCI DSS 4.0 proposes a template to document these assessments. It  covers the following points:

Identify the PCI DSS requirement
  • What is the objective the requirement
  • Describe the mischief that the requirement was designed to prevent

Describe the proposed solution
  • Customized control name/identifier (Use same identifier than in the Customized control matrix sheet)
  • What parts of the requirement as written will change in the proposed solution?
  • How will the proposed solution prevent the mischief?

Analyze any changes to the LIKELIHOOD of the mischief occurring, leading to a breach in confidentiality of cardholder data
  • How successful the controls will be at preventing the mischief
  • Typical reasons for the control to fail, the likelihood of this, and how could it be prevented
  • How resilient the entity’s processes and systems are for detecting that the control(s) are not operating normally?
  • To what extent do the controls detailed in the customized approach represent a change in the likelihood of the mischief occurring  (Mischief more likely to occur/No change/Mischief less likely to occur)
  • Provide the reasoning for your assessment of the change in likelihood that the mischief occurs once the customized controls are in place.

Analyze any changes to the IMPACT of unauthorized access to account data
  • What volume of account data would be at risk of unauthorized access if the solution failed?
  • How the customized controls will directly:
  • Reduce the number of individual PANs compromised if a threat actor is successful, and/or Allow quicker notification of the PANs compromised to the card brands.

Risk analysis Reviews and updates
Targeted risk assessments must be reviewed at least once every 12 months and upon changes that could impact the risk to the environment;.

How the PCI DSS 4.0 Compliance Dashboard help?

The brand new PCI 4.0 Compliance dashboard 
  • Lists requirements subjected to targeted risk assessments
  • Provides a template for documenting the frequency related risk assesments 
  • Provides a template for documenting the customized approach risk assessments
0 Comments

PCI DSS 4.0 Customized Approach - All roads lead (probably) to Rome

2/9/2023

0 Comments

 
Picture
The customized approach is a brand new concept onboarded in PCI DSS 4.0 to provide flexibility in the way the PCI requirements are met either by strictly following the defined approach at the letter as for the early versions of the standard or by following another path leading to the same objectives. All roads lead to Rome!
What you need to know
  • It is up to each entity to determine whether and where to follow the defined approach or the customized approach. 
  • The use of the customized approach will require greater initial effort to ensure the controls are properly implemented and can be effectively assessed.
  • Controls met through a customized approach must be supported by a risk assessment, proper documentation (see below) and proper testing
  • The customized approach can only be used for RoCs (Report of Compliance) and not SAQs (Self Assessment Questionnaires). 
  • About 12% of the PCI DSS controls are not eligible for a customized implementation.
  • Customized approach cannot be used mid-assessment to correct something that is not compliant. 
  • Entities wishing to use the customized approach should consult with their compliance-accepting entity (acquirers or payment brands) to understand any related requirements or impacts.
  • A QSA may assist with defining customized approaches but it cannot be the same QSA as the one performing the assessment. 
  • The adequacy of customized approaches, the design, the implementation is left to the discretion of the QSA's. 
  • It is recommended that entities design, implement, and document the controls for a customized approach long before the PCI DSS assessment begins.
Documentation - evidences
For each PCI control implemented through a customized approach, the following information is expected to be documented:
    • What is the name of the customized control 
    • What is the associated PCI control Id
    • What is the customized  approach objective (check customized approach column of the PCI Compliance Dashboard)
    • Description of the implemented control
    • Where is the control implemented
    • When is the control performed
    • Who is responsible and accountable for this control
    • Who is involved in managing, maintaining, and monitoring the control
    • How the implemented control meets the stated defined objective (defined in the standard)
    • What are the tests performed to prove the control meets the stated objective
    • Brief description of the results of the risk analysis for this control. (See below)
    • How  the control is maintained and how the control's effectiveness is assured.

How the PCI 4.0 Compliance Dashboard could help?
The PCI DSS 4.0 Compliance Dashboard provides in one view all information you need to consider for your compliance journey. In the context of the customized approach, it includes the defined approach requirements, the customized approach objectives, controls not subjected to customized approach as well as a register for the documentation of controls met with a customized approach with all the above information.
0 Comments

PCI 4.0 - The KING is dead, long life to the KING

2/2/2023

1 Comment

 
Picture
The king is dead, long live the king!" This traditional proclamation made following the accession of a new monarch in various countries, is definitely applicable in what concerns PCI DSS with the release of PCI 4.0. But wait...do not count your chickens before they are hatched, yes, another quote. Indeed, if the successor to the throne is appointed and can already rule the game, the old rules enacted by the current monarch remain valid until retirement due on march 31, 2024.  This transition period  provides organizations with time to become familiar with the changes in v4.0, update their reporting templates and forms, and plan for and implement changes to meet the new rules of the game. 
In addition to the transition period, organizations have until 31 March 2025 to comply with about 50 new requirementsthat are initially identified as best practices in v4.0. Prior to this date, organizations are not required to validate to these new requirements. However, organizations that have implemented controls to meet the new requirements and are ready to have the controls assessed prior to their effective date are encouraged to do so. After 31 March 2025, these new requirements are effective and must be fully considered as part of a PCI DSS assessment.
Picture
Track these "new requirements" with the new version of the PCI Compliance dashboard fully aligned with PCI DSS V4.0. It includes the defined approach requirements, the customized approach, applicability notes, purpose, good practices & further information, definition, example and defined testing procedures and prioritization approach. It also provides templates to register your compensating controls, controls met with remediations but also to register your customized Controls, the customized approach risk analysis, execution of vulnerability scans and penetration tests. A must to stay in the lead of your compliance journey. 
​
Get your PCI 4.0 Compliance dashboard right here
1 Comment

    Archives

    March 2023
    February 2023
    April 2020
    July 2019
    February 2019
    January 2019
    August 2018
    May 2018
    February 2018
    January 2018
    December 2017
    October 2017
    July 2017
    June 2017
    April 2017
    February 2017
    January 2017
    December 2016
    July 2016
    June 2016
    May 2016
    April 2016
    February 2016
    January 2016
    October 2015
    August 2015
    January 2015
    July 2014

    RSS Feed

Provided by DGOZONE SPRL.
Proudly powered by Weebly