The Payment Card Industry Data Security Standard (PCI DSS) has always had a fairly distant relationship with risk assessments and risk in general. It has never been a risk-based standard, as it was developed to address specific threats to cardholder data. In fact, in previous versions of the Standard, the PCI Security Standards Council (PCI SSC) has only stipulated one requirement that covered risk assessments, and that was to simply state organisations should perform an annual risk assessment to address any risks above and beyond those covered by the Standard.
This has all changed, however, with PCI DSS v4.0, where risk appears in several place in the Standard. The concept of targeted risk analysis (TRA) appears throughout the requirements with the inclusion of two different types of TRAs.
Following on from our blogs on PCI DSS v4.0: Network Security Controls and on PCI DSS v4.0: Forced Password Changes and Zero Trust Architecture where we explored smaller, but still impactful changes in PCI DSS v4.0, this blog will explore the updated PCI DSS requirements around conducting TRAs.
What is a Targeted Risk Analysis (TRA) in PCI DSS v4.0?
TRA refers to the process of identifying, assessing, and prioritising security risks that are specific to a particular organisation, system, or environment. Unlike generic risk assessments, a TRA focuses on the unique risks and vulnerabilities that are pertinent to an organisation's operations, infrastructure, and compliance requirements. By tailoring risk analysis to specific contexts, organisations are able to gain deeper insights into their security posture and make informed decisions to mitigate risks more effectively.
The first type of TRA that crops up in v4.0 of the PCI DSS is to be used by organisations to define how frequently they perform a required activity. Many of the PCI DSS requirements simply state that a certain compliance activity should be performed ‘periodically’. For example, Requirement 5.3.2.1 states that if periodic malware scans are performed, the frequency of scans is defined in the entity’s TRA.
In these cases, a TRA is required to justify the frequency interval that is chosen to ensure that the risk is reduced to an acceptable level, and that excess risk isn’t introduced by simply picking an arbitrary interval. The format of this TRA can be defined by your organisation, however the PCI SSC does provide an example template that includes details such as the asset being protected, the threat impact, the threat likelihood, when the TRA should be reviewed and other details.
These activity-frequency TRAs are not particularly challenging unless you lack experience in performing risk assessments and the principles that underly a successful risk assessment. For organisations that have not dealt with risk in any formal capacity before, there needs to be a period where you develop an understanding of the basics of risk management before the TRAs can be completed.
The second type of TRA is to be used when an organisation is adopting the customised approach to meet a PCI DSS requirement or group of requirements, and this is a much more detailed risk assessment. As such, organisations need to be mature and experienced in their risk management processes. Again, a sample template has been provided by the PCI SSC, but this is much more in-depth than the other TRA template and includes a number of fine details, such as likelihood of mischief occurring, reasons for mischief occurring, how your control affects those likelihoods, detailed impact analysis, executive management review process, and much more. These types of TRA are not for the faint hearted, and much like the prospect of utilising a customised approach itself, they should only be used by organisations that are risk mature and confident in their risk processes.
What are the reasons for and benefits of using TRAs to comply with PCI DSS v4.0?
One of the key benefits of TRA within the PCI DSS v4.0 framework is the ability to align the periodic requirements with the organisation's business objectives, processes, and systems. By assessing risks specific to the payment card environment, organisations can identify vulnerabilities and threats that pose a direct threat to cardholder data security and ensure they are addressed adequately.
TRA allows your organisation to make informed, risk-based decisions when implementing security controls and measures. By prioritising risks based on their potential impact and likelihood, you can allocate resources efficiently and focus on mitigating high-risk areas within the payment card environment.
Continuous improvement is a backbone of PCI DSS compliance because, in today's dynamic threat landscape, cybersecurity is a continuous process that requires ongoing monitoring, evaluation, and adaptation. TRA allows for continuous improvement by enabling you to regularly assess and reassess security risks, adapt to emerging threats, and enhance your security posture proactively.
Also, by conducting targeted risk analysis as part of PCI DSS compliance, you can raise awareness among stakeholders about the significance of security risks and the potential impact of data breaches. This heightened awareness can facilitate better communication, and support for compliance as a whole within your organisation.
Closing Thoughts
TRAs are a critical component of PCI DSS compliance which enables organisations to better protect sensitive cardholder data. By conducting customised risk assessments, organisations can identify and mitigate risks specific to their payment card environment, enhance threat detection capabilities, align with compliance requirements, make informed decisions, drive continuous improvement, and raise stakeholder awareness.
How URM can Help?
If your organisation would benefit from support managing its transition to PCI DSS v4.0 and understanding all of the new requirements, or with PCI compliance in general, URM’s extensive experience as a PCI Qualified Security Assessor Company (PCI QSAC) means we are ideally placed to provide you with this support. Our team of PCI DSS consultants can assist you with the entire certification or recertification process, both with your assessment preparation and with the assessment itself. For example, we can offer a scope reduction service to help you define the most streamlined and appropriate certification scope, thus helping to reduce the amount of time the assessment takes and its cost. We can also conduct a gap analysis of your current environment against the PCI DSS requirements to identify the areas where you are compliant with the Standard, and any areas of noncompliance. If noncompliances are identified, URM’s PCI DSS consultant will support you to complete any implementation and remediation activities necessary to ensure you can achieve and/or maintain compliance.
Once your organisation is fully prepared for a successful certification, URM can also offer a range of PCI DSS audit services to support and facilitate your assessment. We can conduct a pre-audit readiness assessment of your environment to establish its level of compliance and identify any areas of noncompliance still outstanding, providing you with another opportunity to remediate before the formal assessment. For organisations which need to complete a self-assessment questionnaire (SAQ), URM can offer a Qualified Security Assessor (QSA) SAQ where our QSA leads your completion of and countersigns your SAQ, or support your completion of the SAQ in an advisory capacity, depending on the level of support you would prefer. Meanwhile, if your organisation is a Level 1 merchant or service provider, we can deliver a full PCI audit led by experienced QSAs, culminating in a Report on Compliance (RoC).
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
URM can help you achieve ISO 27001 certification
URM can provide a range of ISO 27002:2022 transition services including conducting a gap analysis, supporting you with risk assessment and treatment activities as well as delivering a 2-day transition training course.
Everything you need to know about PCI DSS v4.0: With a particular focus on some of the more challenging requirements such as MFA and payment page scripts.
After several years wait, and to surprisingly little fanfare, the PCI SSC released the new version of the PCI Data Security Standard (DSS).
PCI remediation is an essential activity for any organisation wishing to fully comply.....