Understanding the New PCI Data Security Standard Guidelines.
Recently, the Risk Assessment Special Interest Group (SIG) and Payment Card Industry (PCI) Security Standards Council published the PCI Data Security Standard (DSS) Risk Assessment Guidelines Information Supplement. This document provides guidelines for performing a PCI risk assessment in accordance with PCI DSS Requirement 12.1.2. This requirement mandates that any organization that stores, processes, or transmits cardholder data develops an annual process that identifies threats and vulnerabilities that could negatively impact the security of their cardholder data.
For building a PCI risk assessment methodology, the PCI DSS Information Supplement describes a number of key elements, such as:
- Risk Identification– including context establishment, as well as asset, threat and vulnerability identification;
- Risk Profiling– including controls identification and risk evaluation; and,
- Risk Treatment– including risk reduction, sharing, avoidance and acceptance.
- A PCI gap analysis assesses an organization’s current PCI security posture, identifies gaps, and develops a roadmap for remediating those gaps. However, simply reviewing current information security controls against the PCI DSS does not, on its own, constitute a PCI risk assessment. Conducting a PCI gap analysis would essentially just fulfill the “control identification” portion of the risk profiling phase.
- A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Alternatively, penetration testing is a method of evaluating the security of a system or network by simulating a malicious attack. While technical tests like these are important (and are mandated by PCI DSS Requirement 11: Regularly test security systems and processes), these types of testing alone do not constitute a PCI risk assessment. Conducting vulnerability assessments or penetration tests help with vulnerability identification but don’t fulfill PCI risk evaluation requirements.
And never underestimate the power of risk management – it’s at the core of any good information security program, with risk assessment being a fundamental, ongoing activity. A solid risk assessment can help your business understand current information security risks, determine where money can be most effectively spent, and gain a broader view of the state of data protection in the enterprise. No individual compliance requirement or standard can do those things.