The Payment Card Industry Security Standards Council (PCI SSC) recently released the PCI DSS Risk Assessment Information Supplement PDF, providing additional advice for merchants seeking to comply with the risk assessment requirement of payment card industry data security standard requirement 12.1.2.
As with any suggestion from the Council, it would be wise for merchants to follow this format in their organization, perhaps going as far to label the sections with these titles word for word.
While these guidelines are not officially mandated, merchants can expect that Qualified Security Assessors (QSAs) will reference them when determining whether a merchant's risk assessment process fulfills the PCI DSS requirement. In this tip, we'll outline the recommendations outlined in the information supplement and explain how to integrate them into an enterprise compliance program.
Inside the PCI Risk Assessment Information Supplement
Merchants have been required to conduct risk assessments since the initial release of the PCI DSS. Specifically, requirement 12.1.2 mandates that a compliant organization's security program include "an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment." Although the standard goes on to cite OCTAVE, ISO 27005, and NIST SP 800-30 as examples of risk assessment methodologies, it stops short of dictating the process used by organizations to conduct the risk assessment.
The guidelines mention the same three risk assessment methodologies included in the PCI DSS itself and also explain that other frameworks, such as the Factor Analysis of Information Risk and the Australian/New Zealand Standard AS/NZS 4360, may also be used. It goes on to outline some core activities that should be included in any risk assessment:
- Enumerating an organization's critical information assets
- Identifying threats that exist to those assets
- Identifying vulnerabilities that, when combined with a threat, may create a risk to the organization
- Developing risk management strategies for each of the risks identified in the assessment
Any process that includes these core elements should easily satisfy the scrutiny of an auditor, so merchants are free to choose a risk assessment approach that best suits their business requirements and organizational culture.
Documenting risk assessment
The guidelines suggest that the risk assessment should yield a formal written risk assessment report. Of course, the PCI audit procedures require that QSAs "review risk assessment guidelines to verify that the risk assessment process is performed at least annually," so this suggestion is really a mandate. Compliance professionals should pay particular attention to the elements that the council suggests to include in the report:
- Scope of risk assessment
- Asset inventory
- Risk evaluation
- Risk treatment
- Version history
- Executive summary
As with any suggestion from the council, it would be wise for merchants to follow this format in their organizations, perhaps going as far to label the sections with these titles word for word. No auditor can comment that the report doesn't include the required elements if the organization follows the council's recommendation virtually verbatim.
Incorporating the guidelines into a compliance program
Many organizations already have formal risk assessment processes mandated by corporate governance requirements or other business practices. PCI DSS is not requiring companies to reinvent the wheel or perform a special process dedicated to meeting this requirement. The guidelines actually allow quite a bit of flexibility. If an organization is already conducting risk assessments, it should simply take steps to ensure that its assessment adequately covers credit card data risk and meets the documentation requirements.
From the editor: More on PCI assessments
How PCI assessors, CISOs can provide the best PCI ROC
PCI requirements for merchants covered by PCI DSS
On the other hand, companies embarking upon their first formal risk assessment should consider broadening their scope to cover a wider range of organizational assets. This will help deliver extra value to the organization and provide a means to prioritize PCI DSS-related efforts in the context of a larger risk environment.
A word of warning, however, for those thinking that the risk assessment process might save some work: As the guidelines point out, the risk assessment process may not be used to avoid PCI DSS security requirements or bypass the compensating control process. Unlike some other laws and regulations (such as the HIPAA Security Rule), the PCI DSS contains no "addressable" requirements that can be skipped if a risk assessment indicates that they may not be warranted. Organizations seeking an exemption from one or more requirements must still go through the formal compensating control approval process.
Overall, the newly released risk assessment guidelines don't impose any new obligations on merchants seeking to comply with the PCI DSS. Rather, they clarify the existing requirements and provide merchants with several clearly documented options to satisfy risk assessment obligations in a flexible manner that meets business requirements.
About the author
Mike Chapple, Ph.D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Study Guide and Information Security Illuminated.