The Payment Card Industry Data Security Standard (PCI-DSS) requires that companies undertake a periodic risk assessment to analyze, identify, and document any potential risks to the cardholder data according to PCI-DSS Requirement 12.1.2.
The risk assessment is part of a larger risk management strategy that Due employs, and it is intended to manage threats and vulnerabilities to the payments system. This extra encryption and certification protocol is in place to stay updated on the ever-changing business landscape that includes threats, trends, and new technologies, which are occurring at a faster rate in the payments industry. Having a risk assessment strategy in place provides a way to better allocate resources to implement the controls that will maintain cardholder data security.
In 2012, the risk assessment guidelines were updated to provide companies with a clearer understanding of how to proceed with their own periodic risk assessments. There is a variety of risk frameworks that can be used to conduct a PCI-DSS risk assessment, including NIST SP 800-20, OCTAVE, and ISO 27005. Others can also be used, depending on what the dependable needs are for the company’s size, industry, and business model.
Minimal requirements for risk assessment.
Within the parameters of what is required, the very basics must include what is outlined in PCI-DSS Requirement 12.1.2:
- An annual risk assessment that includes quantitative and qualitative analysis of data securement procedure and protocols.
- Defined methodology and documented process.
- Includes people, processes, and technology that impacts cardholder data environment security.
- Asset inventory, including all payment channels and any direct or indirect asset that impacts processing, transmission, storage and protection of cardholder data and the security of its surrounding environment.
- Threat and vulnerability identification and scoring, including internal assessment, such as staff, outsourcing, and third parties as well as organizational and technical vulnerabilities.
- A prioritized risk mitigation plan that responds to the annual risk assessment findings.
Key elements of a risk assessment.
The risk assessment team represents all departments and functions but is led by a team member who is knowledgeable about PCI-DSS requirements and understands how to deploy a risk assessment process.
Due has selected a risk assessment methodology that adapts common industry standards but that fits for the company’s culture and business climate. The components include risk identification, risk profiling, and risk treatment/acceptance.
Risk identification includes context establishment in which the internal and external parameters must be understood to define the scope of the risk assessment. Assets must also be identified that include anything of value to an organization related to processing, storage, transmission and protection of the cardholder data.
This includes all payment channels and involves organizing the assets into various relevant categories. Included in risk identification process is threat and vulnerability identification, including looking at the people, the systems used, and the conditions in which harm could be created, such as external hackers, cyber criminals, internal malicious individuals, human error, theft or physical damage.
Vulnerabilities also include any weakness in the system that can be exploited and that are related to systems, software, and even non-existent or ineffective policies and procedures. All of the risk identification also lists the results to the business should any of these risks be vulnerable in anyway.
Risk profiling presents all the possible risks to an asset, including characteristics of the threat, vulnerability, or risk. Existing controls are those that are already in place to protect against previously identified threats and vulnerabilities.
Risk evaluation provides a way to determine how significant each risk is and how resources can be used to mitigate the risk.
A quantitative risk assessment offers numerical values to the elements in the risk assessment, typically in monetary terms while a qualitative risk assessment uses objective statement based on previously gathered numerical data.
Once risks and vulnerabilities have been identified and measured, the next part of the process is risk treatment. This includes risk reduction, risk sharing or transference, risk avoidance and risk acceptance. Risk reduction means countermeasures, such as technical or operations controls or changes to the physical environment.
Risk sharing is sharing the risk with a third party, such as a service or equipment provider or an outsourced team. Transference is shifting the risk from one party to another. Risk avoidance involves withdrawing from the activity where the risk is involved. Risk acceptance means the organization accepts a certain risk because it falls within a certain area of risk tolerance.
The last part of risk assessment is reporting the results of the assessment. Each area should be explained in the report, including the scope of risk assessment, asset inventory, threats, vulnerabilities, risk evaluation, risk treatment, version history, and an executive summary. This helps the organization understand any changes from the previous year and create a plan of action to address any new risks that were identified during the assessment period.
Critical Success Factors
Critical success factors for risk assessment include identification of assets gathered from all stakeholders, maintaining a proactive approach rather than reactive, the ability to keep the risk assessment process as simple as possible using a published industry-standard methodology, and providing training to help everyone within the organization better understand the threats and vulnerabilities that could negatively impact our business or any cardholder data security or the organization.