*This article was taken from our PCI Guide. For more information on this topic, download our free PCI Guide.
Get Started with PCI ComplianceStart Here
The risk assessment is where a lot of organizations struggle with PCI compliance. Many treat it as simply another item on the to-do list. In reality, a risk assessment can be the most important part of your overall security and compliance program, since it helps you identify systems, third parties, business processes, and people that are in scope for PCI compliance. Too many companies approach PCI as simply an “IT issue” and are surprised when they realize PCI compliance touches a lot of other business processes and practices. If you aren’t doing a formal risk assessment now and are intimidated by the process, start small and plan to increase the scope of the review each year.
A risk assessment is a great starting point for establishing a successful security and PCI compliance program.
Another area of difficulty, especially for small organizations, is putting together a comprehensive and relevant security awareness program. Don’t be afraid of what you don’t know! Even if you aren’t a security expert yourself, there is a wealth of security-related information available online, and many resources that make it easy to present a polished training program to your employees. This is one area where the help of an outside security expert or partner can be valuable, since security threats are constantly evolving.
PCI DSS v4.0 Considerations for Requirement 12
The annual risk assessment requirement still calls for the identification of assets, threats, and likelihood of exploitation to occur, but it clarifies that the risk assessment is to be targeted toward each PCI requirement that allows an organization the flexibility to define their own testing frequency or controls.
For example, if you are a retail merchant, you have a requirement to periodically inspect each point-of-interaction device (PIN pad) for signs of tampering. How frequently these inspections should occur can vary based on many factors. How frequently you decide to perform them must be based on a formal targeted risk assessment that documents the factors that resulted in your decision.
Another example that requires performance of a targeted risk assessment is if you implement the new Customized Approach to any PCI requirement. If you take this route, you are able to define your own security controls to meet the requirement. However, first you must perform a formal risk assessment to ensure that the control will meet the objective of the requirement and address the risk that the original control mitigated.
Another addition to this requirement section is to define an annual process to review hardware, software, and cryptographic cipher suites and protocols used in your environment to ensure that the technologies you rely on are kept current and are still supported by vendor-provided updates and security patches.
All organizations are now required to document and confirm their PCI scope annually to ensure all flows and locations of cardholder data are taken into account, and any changes to scope are understood. Service providers must perform this scoping exercise at least every six months.
Additionally, service providers now need a process to make sure that organizational changes don’t have a negative impact on PCI compliance and the performance of PCI responsibilities.