The Payment Card Industry Data Security Standard (PCI DSS) has evolved over the years to provide a robust framework for securing cardholder data. With the advent of PCI DSS 4.0, the focus has shifted towards a more flexible, outcome-driven approach that prioritizes securing data rather than just complying with a checklist of requirements. A crucial component of this updated framework is targeted risk assessments.
The PCI DSS has removed the requirement for an organization-wide risk assessment and replaced it with targeted risk analyses for specific controls.
What Are Targeted Risk Assessments?
In the context of PCI DSS 4.0, targeted risk assessments involve a systematic and detailed evaluation of potential threats and vulnerabilities relating to the processing, storage, or transmission of cardholder data. This process aims to identify, measure, and prioritize risks that an organization might face and helps define strategies to mitigate these risks. Targeted risk assessments are an ongoing practice, not a one-time exercise.
How Do They Differ from Traditional Assessments?
In previous versions of PCI DSS, the focus was on an annual organizational risk assessment performed annually or when there was a major change to the business. PCI DSS 4.0, however, encourages organizations to take a more strategic approach to the continuous activities of securing payments. This means considering unique business factors, understanding specific threats relevant to one’s operations, and designing controls that effectively address those threats. It moves from a one-size-fits-all model to a more tailored, adaptive approach.
In PCI DSS 3.2.1 the term Risk Assessment was used to describe requirement 12.2. In PCI DSS 4.0 the new terminology is Risk Analysis. While many cybersecurity practitioners use the terms interchangeably, Risk Analysis is being used to identify a more complete and accurate measure.
NIST SP 800-30 Guide for Conducting Risk Assessments defines the Analysis Approach this way:
The approach used to define the orientation or starting point of the risk assessment, the level of detail in the assessment, and how risks due to similar threat scenarios are treated.
The intent of the new Targeted Risk Analysis requirement does not replace the need for an organization wide Risk Assessment, you should still do that even though it’s not a PCI 4.0 requirement.
By taking the Risk Analysis approach, PCI DSS 4.0 encourages a more thorough treatment of risk while still providing flexibility and avoiding “one size fits all” requirements.
The Elements of a Target Risk Analysis:
• Identification of the assets being protected.
• Identification of the threat(s) that the requirement is protecting against.
• Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
• Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
• Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.
• Performance of updated risk analyses when needed, as determined by the annual review.
(Source: PCI DSS)
Benefits – Why this is better.
In PCI DSS 3.2.1, there was only one place that mentioned performing a Risk Assessment. PCI DSS attempts to be more risk based, encouraging merchants and service providers to do a better job of managing risk while providing flexibility in the approach for each requirement.
Some of the Security Activities Covered by Targeted Risk Analysis:
• Frequency of Malware Scans
• Review of all access by application and systems account privileges
• Password/Passphrase management
• POI device inspection
• Log reviews
• Vulnerability management
• Payment page tampering detection
• Training for Incident Response personnel
Conclusion
Targeted risk assessments in PCI DSS 4.0 represent a significant shift towards a more adaptive and strategic approach to data security. By encouraging organizations to critically analyze their unique contexts and risks, PCI DSS 4.0 aims to drive real, meaningful security outcomes. In a world where threats are increasingly sophisticated and constantly changing, this focus on targeted risk assessments is not just welcome – it’s essential.
Start Now: Targeted Risk Assessments in PCI 4.0 are considered best practice until 31 March 2025, and after that, they will be mandatory. Do not wait! It will take some time for your organization to develop Targeted Risk assessments for PCI, the sooner you start the smoother your PCI assessments will be.
By: Peter Thornton – Senior Security Consultant – CISSP | HCISPP | ISSMP | PMP | CISA | QSA
Contact us for more information about our cybersecurity solutions.
Peter Thornton
Peter Thornton is a Senior Security Consultant for the Risk Advisory Services practice at AccessIT Group (AITG). He helps clients identify needs and business drivers by analyzing security data and then translating security requirements in actionable steps, so that clients can make informed decisions. Peter holds many certifications in security and project management, including Certified Information Systems Security Professional (CISSP) and Project Management Professional (PMP).