Risk Assessment Guidelines

Updated on July 28th, 2021
Annuity Risk

The Payment Card Industry Data Security Standard (PCI-DSS) requires that companies undertake a periodic risk assessment to analyze, identify, and document any potential risks to the cardholder data according to PCI-DSS Requirement 12.1.2.

The risk assessment is part of a larger risk management strategy that Due employs, and it is intended to manage threats and vulnerabilities to the payments system. This extra encryption and certification protocol is in place to stay updated on the ever-changing business landscape that includes threats, trends, and new technologies, which are occurring at a faster rate in the payments industry. Risk assessment strategies provide a way to allocate resources. This is done to implement the controls that will maintain cardholder data security.

In 2012, the risk assessment guidelines were updated to provide companies with a clearer understanding of how to proceed with their own periodic risk assessments. There is a variety of risk frameworks that can be used to conduct a PCI-DSS risk assessment, including NIST SP 800-20, OCTAVE, and ISO 27005. Others can also be used, depending on what the dependable needs are for the company’s size, industry, and business model.

Minimal requirements for risk assessment.

Within the parameters of what is required, the very basics must include what is outlined in PCI-DSS Requirement 12.1.2:

  • An annual risk assessment that includes quantitative and qualitative analysis of data securement procedure and protocols. 
  • Defined methodology and documented process.
  • Includes people, processes, and technology that impacts cardholder data environment security.
  • Asset inventory. This includes including all payment channels and any direct or indirect asset that impacts processing, transmission, storage and protection of cardholder data and the security of its surrounding environment.
  • Threat and vulnerability identification and scoring. This includes internal assessment, such as staff, outsourcing, and third parties as well as organizational and technical vulnerabilities.
  • A prioritized risk mitigation plan that responds to the annual risk assessment findings.

Key elements of a risk assessment.

The risk assessment team represents all departments and functions but is led by a team member who is knowledgeable about PCI-DSS requirements and understands how to deploy a risk assessment process.

Due has selected a risk assessment methodology that adapts common industry standards but that fits for the company’s culture and business climate. The components include risk identification, risk profiling, and risk treatment/acceptance.

Risk identification.

Risk identification includes context establishment in which the internal and external parameters must be understood to define the scope of the risk assessment. Assets must also be identified that include anything of value to an organization related to processing, storage, transmission and protection of the cardholder data.

This includes all payment channels and involves organizing the assets into various relevant categories. Included in risk identification process is threat and vulnerability identification, including looking at the people, the systems used, and the conditions in which harm could be created, such as external hackers, cyber criminals, internal malicious individuals, human error, theft or physical damage.

Vulnerabilities also include any weakness in the system that can be exploited and that are related to systems, software, and even non-existent or ineffective policies and procedures. All of the risk identification also lists the results to the business should any of these risks be vulnerable in anyway.

Risk profiling.

Risk profiling presents all the possible risks to an asset, including characteristics of the threat, vulnerability, or risk. Existing controls are those that are already in place to protect against previously identified threats and vulnerabilities.

Risk evaluation provides a way to determine how significant each risk is and how resources can be used to mitigate the risk.

A quantitative risk assessment offers numerical values to the elements in the risk assessment, typically in monetary terms while a qualitative risk assessment uses objective statement based on previously gathered numerical data.

Risk treatment.

Once risks and vulnerabilities have been identified and measured, the next part of the process is risk treatment. This includes risk reduction, risk sharing or transference, risk avoidance and risk acceptance. Risk reduction means countermeasures, such as technical or operations controls or changes to the physical environment.

Risk sharing is sharing the risk with a third party, such as a service or equipment provider or an outsourced team. Transference is shifting the risk from one party to another. Risk avoidance involves withdrawing from the activity where the risk is involved. Risk acceptance means the organization accepts a certain risk because it falls within a certain area of risk tolerance.

Reporting results.

The last part of risk assessment is reporting the results of the assessment. Each area should be explained in the report. This includes the scope of risk assessment, asset inventory, risk evaluation, risk treatment, version history, and an executive summary. This helps the organization understand any changes from the previous year and create a plan of action to address any new risks that were identified during the assessment period.

Critical Success Factors

Critical success factors for risk assessment include identification of assets gathered from all stakeholders, maintaining a proactive approach rather than reactive, the ability to keep the risk assessment process as simple as possible using a published industry-standard methodology, and providing training to help everyone within the organization better understand the threats and vulnerabilities that could negatively impact our business or any cardholder data security or the organization.

John Rampton

John Rampton

John Rampton is an entrepreneur and connector. When he was 23 years old while attending the University of Utah he was hurt in a construction accident. His leg was snapped in half. He was told by 13 doctors he would never walk again. Over the next 12 months he had several surgeries, stem cell injections and learned how to walk again. During this time he studied and mastered how to make money work for you, not against you. He has since taught thousands through books, courses and written over 5000 articles online about finance, entrepreneurship and productivity. He has been recognized as the Top Online Influencers in the World by Entrepreneur Magazine, Finance Expert by Time and Annuity Expert by Nasdaq. He is the Founder and CEO of Due.

About Due

Due makes it easier to retire on your terms. We give you a realistic view on exactly where you’re at financially so when you retire you know how much money you’ll get each month. Get started today.

Due Fact-Checking Standards and Processes

To ensure we’re putting out the highest content standards, we sought out the help of certified financial experts and accredited individuals to verify our advice. We also rely on them for the most up to date information and data to make sure our in-depth research has the facts right, for today… Not yesterday. Our financial expert review board allows our readers to not only trust the information they are reading but to act on it as well. Most of our authors are CFP (Certified Financial Planners) or CRPC (Chartered Retirement Planning Counselor) certified and all have college degrees. Learn more about annuities, retirement advice and take the correct steps towards financial freedom and knowing exactly where you stand today. Learn everything about our top-notch financial expert reviews below… Learn More