A PCI DSS risk assessment is a formal process that companies use to identify threats and vulnerabilities that could have a negative effect on the security of payment card data. 

According to requirement 12.2 of the Payment Card Industry Data Security Standard (PCI DSS), any organization that processes or handles payment cards must implement a risk assessment process that is performed at least annually and when there are significant changes to the environment. 

The risk assessment process must identify critical assets, threats, and vulnerabilities, and the effect they may have on the cardholder data environment. The risk assessment should result in a formal, documented analysis of risk. 

Merchants have been required to conduct risk assessments since the PCI DSS standard was first released in December 2004. The PCI DSS standard cites OCTAVE, ISO 27005, and the National Institute of Standards and Technology (NIST) Special Publication 800-30 as examples of risk assessment methodologies. However, the PCI DSS standard doesn’t dictate the process that companies should use to conduct their risk assessments.

The PCI DSS risk assessment offers organizations guidance to help them identify, analyze, document, and manage the information security risks that may affect their cardholder data.

Organizations can identify these vulnerabilities using vulnerability assessment reports, penetration testing reports, and technical security audits. The PCI DSS risk assessment also provides companies with remediation strategies so they can implement risk management strategies to mitigate those vulnerabilities.

Conducting a risk assessment helps provide direction on what vulnerabilities a company should address first. 

According to the PCI DSS risk assessment requirements, an organization has to:

  • Conduct a risk assessment once a year or anytime it makes significant changes to the cardholder data environment.
  • Perform a thorough risk assessment before it outsources any portion of its cardholder data environment to a third party. The business also has to consider the effect outsourcing could have on the organization and the credit/debit card information.
  • Identify any vulnerabilities and threats to both its primary and secondary critical assets.
  • Document the outcome of the PCI risk assessment, identifying all the risks during the risk assessment.
  • Have a proper risk mitigation or treatment plan to deal with any case of emergency.
  • Protect its critical assets from any threats that could surface in the future.
  • Identify weaknesses and correct vulnerabilities in a timely manner to reduce the likelihood that a vulnerability will be exploited.
  • Cover all payment channels in the risk assessment, including all the critical assets that can directly or indirectly impact the security of the cardholder data environment.