PCI Council adds guidelines for data security risk assessment

The PCI Security Standards Council (PCI SSC) released the PCI DSS Risk Assessment Guidelines Information Supplement, a product of the PCI Risk Assessment Special Interest Group (SIG).

Organizations planning and performing a risk assessment in accordance with PCI DSS 12.1.2 can use the information supplement to help identify threats and the associated vulnerabilities that could jeopardize the security of payment card data.

PCI Special Interest Groups (SIGs) are Council-led groups made up of industry stakeholders that focus on addressing the need for additional guidance and clarifications or improvements to the PCI Standards and supporting programs.

PCI DSS Requirement 12.1.2 requires organizations to establish a formal process for identifying threats and vulnerabilities that could negatively impact the security of cardholder data. By performing this risk assessment, businesses are better equipped to determine the appropriate controls for reducing the likelihood and/or the impact of potential threats to their business.

“As there are a number of risk assessment methodologies out there, our stakeholders were looking for guidance on how to effectively apply these principles to their organizations to meet PCI requirements,” said Bob Russo, general manager, PCI Security Standards Council. “Through our community-driven SIG election process, our Participating Organizations selected this as a key focus area, and the result is a strong set of best practices to guide you through choosing the risk management approach that works best for your business.”

More than 60 organizations representing banks, merchants, security assessors and technology vendors collaborated to produce this guidance that will help organizations understand how to identify, analyze and document the risks that may affect their Cardholder Data Environment (CDE); prioritize risk-mitigation efforts to address the most critical risks first and more effectively implement threat-reducing controls; and determine how to effectively segment environments to isolate sensitive networks (such as the CDE) from non-sensitive networks, as part of an effective scoping methodology.

The information supplement outlines the relationship between PCI DSS and risk assessments; the various industry-recognized risk methodologies and key components of a risk assessment, including developing a risk assessment team and building a risk assessment methodology; risks introduced by third parties; as well as the risk reporting process and critical success factors.

Key recommendations include:

• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls).

Any organization that stores, processes, or transmits cardholder data can benefit from this guidance, including merchants, service providers, acquirers (merchant banks) and issuers. As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.