The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for companies that handle credit and debit cards from the major card brands, whether via e-commerce or in in-person transactions, and those that store or process payment card data.

PCI DSS Requirement 12.2 requires that organizations annually perform formal risk assessments to identify threats, vulnerabilities, and risks to the business, particularly risks to debit and credit card data and their environments. This requirement can help you identify, prioritize, and manage your information security risks.

If you don’t want to get hit with a data breach, you’ll need to close security and PCI DSS compliance gaps. A risk assessment can help you figure out which vulnerabilities you should address first.

A risk assessment helps you anticipate threats and the vulnerabilities associated with those threats that can harm your business. A risk assessment also helps you determine how to implement the controls that can ward off those threats or lessen their effects on your company if they do arise.

Conducting a risk assessment at least annually keeps you up to date with changes in your business. It also enables you to consider those changes in light of new threats, new technologies, and emerging trends. These changes might include introducing a new software application to your cardholder data environment or launching new products or services.  A risk assessment should also be performed when there are significant changes to your organization’s environment such as relocation, merger, or acquisition.

There are a number of industry-accepted risk assessment methodologies that you can use to develop your risk assessment process, according to the PCI Data Security Standard. These include OCTAVE, ISO 27005, and NIST SP 800-30.

Assessing Your PCI DSS Risks

Your PCI DSS risk assessment should include:

  • The types of risk that may exist in your systems, applications, or processes
  • Company assets that need protection from these risks
  • Your entity’s level of vulnerability to each risk 
  • The likelihood that each risk will materialize (that a threat will occur)
  • The impact on your organization if a threat should occur
  • How your company can reduce the likelihood of threats and their impact. 

According to the PCI Security Standards Council, these are the steps you should follow when conducting your PCI DSS risk assessment:

  1. Develop a Risk Assessment Team and Methodology. Establish a risk assessment team with people from every department, including those that process, store, and transmit cardholder data. Appoint a team leader who understands the PCI DSS requirements and the risk assessment methodology.

    Adopt a methodology that fits with your company’s culture and the current business climate so you can be sure to meet your risk objectives.
  2. Identify Your Risks.  “Risk” refers to the likelihood that a threat will materialize, often due to a vulnerability. “Risk level” refers to the potential impact that threat will have on your company and your customers.

    For example, a system that employs weak passwords is vulnerable to the threat that a bad actor could compromise user credentials and break into the system. Your company is at risk if you store cardholder data that are not encrypted in your system.

    When threats are likely to take advantage of a vulnerability, therein lies your risk.

The PCI Security Standards Council (PCI SSC) lists four areas of focus in the risk-identification process:

  • Context establishment: Understanding the “the organization’s hierarchy, business processes, cardholder data (CHD) flows, and any associated system components”
  • Asset identification: The “the people, processes, and technologies that are involved in the processing, storage, transmission, and protection of CHD.” This step also involves identifying who is responsible for protecting each critical asset and may include assigning a value to each depending on its importance to the business.
  • Threat identification: Anyone or anything that could cause harm to the organization is a threat. The PCI SSC suggests talking with people throughout the company to compile a comprehensive list. Reviewing past threats can also help pinpoint those most likely to occur in the future.
  • Vulnerability identification: Part of vulnerability management, this step involves pinpointing weaknesses or potential weaknesses that threat actors could exploit, such as payment channels and devices. The PCI SSC recommends using vulnerability assessment reports, penetration-testing reports, and technical security audits such as firewall rule reviews, secure code reviews, and database configuration reviews.
  1. Determine Your Risk Levels. Which risks stand to affect your organization? Prioritizing these risks and their potential impacts is a key part of your risk assessment, ultimately guiding your risk management strategy.

The PCI SSC recommends ranking risks according to:

  • The ability of the “threat agent” to carry out the threat
  • The threat agent’s intent
  • The threat’s relevance to the enterprise
  • The likelihood of its occurring
  • The damage that it could cause to the organization.

Next, assign a risk level to every vulnerability and every threat that’s associated with the vulnerability, i.e., high, medium, or low risk. For additional information on the various risk evaluation methods, i.e., quantitative vs. qualitative, see the PCI Security Standards Council’s  PCI DSS Risk Assessment Guidelines.

4. Mitigate Your Risks. It’s nearly impossible to eliminate all your risks. That’s why it’s important to apply controls to reduce the risks to acceptable levels.

Mitigation often includes taking steps to reduce the likelihood that a risk will occur or lessen the severity of loss if it does happen or both. These steps can include implementing operational or technical controls or making changes to your physical environment. For example, you can mitigate the risk of malware by installing anti-malware software. The level of risk that remains is often referred to as “residual risk.”

Mitigation can take several forms: avoiding the risk, perhaps by discontinuing the activity that has created it; transferring the risk, for instance with insurance; reducing the risk, or accepting the risk, especially if the likelihood of its occurring or its potential impact on your business is low.

Reporting the Results

Each risk assessment should result in a risk assessment report that details the risk you’ve identified, including those affecting the cardholder data environment (CDE). The goal of the report is to clearly state the various risks that concern your company. The report may also explain the actions you took to remediate these risks.

Your PCI risk assessment report should include the following information:

Scope of your risk assessment: Describe your company as well as the internal and external guidelines you considered when you defined the scope of your risk assessment.

For the purpose of PCI DSS requirements, you can also include an overview of your cardholder data environment and the companies that support and process your cardholder data.

Asset inventory: Create a thorough list of assets that are in the scope of the risk assessment, for example, hardware, software, networking, and communications infrastructure, and employees.

Threats: List the threats that can harm your assets. You can also include a description of each threat that you’ve identified to spell out their characteristics.

Vulnerabilities: List the vulnerabilities related to technology and to your organization that can affect your assets.

Risk evaluation: Describe the technique you used to measure the risks you’ve identified so you can prioritize them.

Risk treatment (mitigation): Document the list of actions you’ve taken for each of the risks you’ve identified, along with how you handled those risks.

Version history: You might want to include the date, author, and the approver of the document.

Executive summary: This details your company’s overall risk posture before and after risk mitigation.

Get Help If You Need It

You should perform an annual risk assessment, at least, and another after you make any significant changes in your network. The risk assessment can offer direction on the vulnerabilities you should address first.

Conducting a risk assessment is often a long process, and only the first step toward PCI compliance. Meeting all the PCI requirements can take many months. Using quality governance, risk management, and compliance software can ease these tasks.

ZenGRC can help you track and manage your risks and to know where you are compliant with PCI DSS, where you fall short, and how to fill gaps. And its “single source of truth” repository keeps all your documentation in one place for easy retrieval at audit time.

Worry-free PCI DSS compliance is the Zen way. Contact us today for your free consultation.