Understanding the New PCI Data Security Standard Guidelines.

By Evan Tegethoff ·

Recently, the Risk Assessment Special Interest Group (SIG) and Payment Card Industry (PCI) Security Standards Council published the PCI Data Security Standard (DSS) Risk Assessment Guidelines Information Supplement. This document provides guidelines for performing a PCI risk assessment in accordance with PCI DSS Requirement 12.1.2. This requirement mandates that any organization that stores, processes, or transmits cardholder data develops an annual process that identifies threats and vulnerabilities that could negatively impact the security of their cardholder data.

For building a PCI risk assessment methodology, the PCI DSS Information Supplement describes a number of key elements, such as:

  • Risk Identification– including context establishment, as well as asset, threat and vulnerability identification;
  • Risk Profiling– including controls identification and risk evaluation; and,
  • Risk Treatment– including risk reduction, sharing, avoidance and acceptance.
While the supplement provides solid direction for conducting a PCI risk assessment, organizations still have many questions about what differentiates a PCI risk assessment from other types of PCI security assessments. Examples include PCI gap analyses and general technical testing like vulnerabilities assessments and penetration tests. Here are the biggest differences between them all:
    • A PCI gap analysis assesses an organization’s current PCI security posture, identifies gaps, and develops a roadmap for remediating those gaps. However, simply reviewing current information security controls against the PCI DSS does not, on its own, constitute a PCI risk assessment. Conducting a PCI gap analysis would essentially just fulfill the “control identification” portion of the risk profiling phase.
  • A vulnerability assessment is the process of identifying, quantifying, and prioritizing the vulnerabilities in a system. Alternatively, penetration testing is a method of evaluating the security of a system or network by simulating a malicious attack. While technical tests like these are important (and are mandated by PCI DSS Requirement 11: Regularly test security systems and processes), these types of testing alone do not constitute a PCI risk assessment. Conducting vulnerability assessments or penetration tests help with vulnerability identification but don’t fulfill PCI risk evaluation requirements.
Overall, the distinctions between the various types of PCI security assessments make it extremely difficult for many organizations to understand their differences, to perform them, and to prioritize risk mitigation efforts to address the most critical risks first. This is why it is important for you to reference the PCI DSS Information Supplement and any other official guidelines that become available in the future, have an understanding about how to interpret these guidelines, and make the right decisions related to PCI security and compliance.

And never underestimate the power of risk management – it’s at the core of any good information security program, with risk assessment being a fundamental, ongoing activity. A solid risk assessment can help your business understand current information security risks, determine where money can be most effectively spent, and gain a broader view of the state of data protection in the enterprise. No individual compliance requirement or standard can do those things.