Skip to main content

New PCI Data Security Standard Guidelines | Optiv

December 18, 2012

Recently, the Risk Assessment Special Interest Group (SIG) and Payment Card Industry (PCI) Security Standards Council published the PCI Data Security Standard (DSS) Risk Assessment Guidelines Information Supplement. This document provides guidelines for performing a PCI risk assessment in accordance with PCI DSS Requirement 12.1.2. This requirement mandates that any organization that stores, processes, or transmits cardholder data develops an annual process that identifies threats and vulnerabilities that could negatively impact the security of their cardholder data.

For building a PCI risk assessment methodology, the PCI DSS Information Supplement describes a number of key elements, such as:

  • Risk Identification– including context establishment, as well as asset, threat and vulnerability identification;
  • Risk Profiling– including controls identification and risk evaluation; and,
  • Risk Treatment– including risk reduction, sharing, avoidance and acceptance.

While the supplement provides solid direction for conducting a PCI risk assessment, organizations still have many questions about what differentiates a PCI risk assessment from other types of PCI security assessments. Examples include PCI gap analyses and general technical testing like vulnerabilities assessments and penetration tests. Here are the biggest differences between them all:

    • A PCI gap analysis assesses an organization’s current PCI security posture, identifies gaps, and develops a roadmap for remediating those gaps. However, simply reviewing current information security controls against the PCI DSS does not, on its own, constitute a PCI risk assessment. Conducting a PCI gap analysis would essentially just fulfill the “control identification” portion of the risk profiling phase.


  • A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Alternatively, penetration testing is a method of evaluating the security of a system or network by simulating a malicious attack. While technical tests like these are important (and are mandated by PCI DSS Requirement 11: Regularly test security systems and processes), these types of testing alone do not constitute a PCI risk assessment. Conducting vulnerability assessments or penetration tests help with vulnerability identification but don’t fulfill PCI risk evaluation requirements.

Overall, the distinctions between the various types of PCI security assessments make it extremely difficult for many organizations to understand their differences, to perform them, and to prioritize risk mitigation efforts to address the most critical risks first. This is why it is important for you to reference the PCI DSS Information Supplement and any other official guidelines that become available in the future, have an understanding about how to interpret these guidelines, and make the right decisions related to PCI security and compliance.


And never underestimate the power of risk management – it’s at the core of any good information security program, with risk assessment being a fundamental, ongoing activity. A solid risk assessment can help your business understand current information security risks, determine where money can be most effectively spent, and gain a broader view of the state of data protection in the enterprise. No individual compliance requirement or standard can do those things.

Related Blogs

May 10, 2017

PCI Compliance Every Day

The title of this post sounds daunting, does it not? However, achieving PCI compliance every day is not as daunting as you might think. With the relea...

See Details

December 15, 2013

What You Should Take Away From The PCI DSS 3.0 – Part 1

There are a lot of people and organizations pointing to “business as usual” or BAU as the huge take away from the latest version of the PCI DSS. Yet a...

See Details

December 16, 2011

PCI DSS and the Network Diagram

This post is designed to give a high level overview of what should be included in a network diagram and how to incorporate simple data flow indicators...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.