PCI Security Standards Council Releases Risk Assessment Guidelines
The PCI Security Standards Council (PCI SSC) has released the PCI DSS Risk Assessment Guidelines Information Supplement, a product of the PCI Risk Assessment Special Interest Group (SIG). Organizations planning and performing a risk assessment in accordance with PCI DSS 12.1.2 can use the information supplement to help identify threats and the associated vulnerabilities that could jeopardize the security of payment card data. By performing this risk assessment, businesses are better equipped to determine the appropriate controls for reducing the likelihood and/or the impact of potential threats to their business.
The information supplement outlines the relationship between PCI DSS and risk assessments; the various industry-recognized risk methodologies and key components of a risk assessment, including developing a risk assessment team and building a risk assessment methodology; risks introduced by third parties; as well as the risk reporting process and critical success factors.
Key recommendations include:
• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
Any organization that stores, processes, or transmits cardholder data can benefit from this guidance, including merchants, service providers, acquirers (merchant banks) and issuers. As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.