Risk assessment was already part of the genesis of PCI DSS up to 3.2.1. Requirement 12.2 of PCI DSS 3.2.1 states: Implement a risk-assessment process that:
-Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
-Identifies critical assets, threats, and vulnerabilities, and
-Results in a formal, documented analysis of risk.
This enterprise-wide risk assessment is subjected to two key validation check by QSA:
PCI DSS 4.0 removes the mandatory character on the execution of enterprise-wide risk assessments. Entities are however encouraged to continue execution such assessment as part of an overarching risk management program that is used as an input to the annual review of an organization's overall information security policy and to enable entities to determine and understand broader and emerging threats with the potential to negatively impact its business.
-Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
-Identifies critical assets, threats, and vulnerabilities, and
-Results in a formal, documented analysis of risk.
This enterprise-wide risk assessment is subjected to two key validation check by QSA:
- Verify that an annual risk assessment process is documented and identifies threats, vulnerabilities, and results in a formal, documented analysis of risk
- Review risk-assessment documentation to verify that the risk-assessment process is performed at least annually and upon significant changes to the environment.
PCI DSS 4.0 removes the mandatory character on the execution of enterprise-wide risk assessments. Entities are however encouraged to continue execution such assessment as part of an overarching risk management program that is used as an input to the annual review of an organization's overall information security policy and to enable entities to determine and understand broader and emerging threats with the potential to negatively impact its business.
Targeted Risk Assessments
Target Risk Assessments are required for:
How frequently is frequently ?
About 11 PCI DSS requirements provide organizations with flexibility to choose the frequently a given control is executed.
The determination of the frequency must be supported by a targeted risk analysis taking int account: the sensitivity of the assets in scope of the given control, the threat(s) that the given control is protecting the assets from, the factors that could contribute to likelihood or impact and the the level of risk the entity is willing to accept.
PCI DSS 4.0 - 12.3.1 Each PCI DSS requirement that provides flexibility for how frequently it is performed must be supported by a targeted risk analysis that is documented and includes:
• Identification of the assets being protected by the requirements
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors (vulnerabilities) that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
Do you use a customized approach?
Documented target risk assessments are also required wherever a customized approach is followed to meet the control objectives.
PCI DSS 4.0 - 12.3.2 A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach.
PCI DSS 4.0 proposes a template to document these assessments. It covers the following points:
Identify the PCI DSS requirement
Describe the proposed solution
Analyze any changes to the LIKELIHOOD of the mischief occurring, leading to a breach in confidentiality of cardholder data
Analyze any changes to the IMPACT of unauthorized access to account data
Risk analysis Reviews and updates
Targeted risk assessments must be reviewed at least once every 12 months and upon changes that could impact the risk to the environment;.
How frequently is frequently ?
About 11 PCI DSS requirements provide organizations with flexibility to choose the frequently a given control is executed.
The determination of the frequency must be supported by a targeted risk analysis taking int account: the sensitivity of the assets in scope of the given control, the threat(s) that the given control is protecting the assets from, the factors that could contribute to likelihood or impact and the the level of risk the entity is willing to accept.
PCI DSS 4.0 - 12.3.1 Each PCI DSS requirement that provides flexibility for how frequently it is performed must be supported by a targeted risk analysis that is documented and includes:
• Identification of the assets being protected by the requirements
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors (vulnerabilities) that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
Do you use a customized approach?
Documented target risk assessments are also required wherever a customized approach is followed to meet the control objectives.
PCI DSS 4.0 - 12.3.2 A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach.
PCI DSS 4.0 proposes a template to document these assessments. It covers the following points:
Identify the PCI DSS requirement
- What is the objective the requirement
- Describe the mischief that the requirement was designed to prevent
Describe the proposed solution
- Customized control name/identifier (Use same identifier than in the Customized control matrix sheet)
- What parts of the requirement as written will change in the proposed solution?
- How will the proposed solution prevent the mischief?
Analyze any changes to the LIKELIHOOD of the mischief occurring, leading to a breach in confidentiality of cardholder data
- How successful the controls will be at preventing the mischief
- Typical reasons for the control to fail, the likelihood of this, and how could it be prevented
- How resilient the entity’s processes and systems are for detecting that the control(s) are not operating normally?
- To what extent do the controls detailed in the customized approach represent a change in the likelihood of the mischief occurring (Mischief more likely to occur/No change/Mischief less likely to occur)
- Provide the reasoning for your assessment of the change in likelihood that the mischief occurs once the customized controls are in place.
Analyze any changes to the IMPACT of unauthorized access to account data
- What volume of account data would be at risk of unauthorized access if the solution failed?
- How the customized controls will directly:
- Reduce the number of individual PANs compromised if a threat actor is successful, and/or Allow quicker notification of the PANs compromised to the card brands.
Risk analysis Reviews and updates
Targeted risk assessments must be reviewed at least once every 12 months and upon changes that could impact the risk to the environment;.
How the PCI DSS 4.0 Compliance Dashboard help?
The brand new PCI 4.0 Compliance dashboard
- Lists requirements subjected to targeted risk assessments
- Provides a template for documenting the frequency related risk assesments
- Provides a template for documenting the customized approach risk assessments