Periodic Task TRAs
Throughout PCI DSS v4.0 you will see quite a few mentions of risk assessments to show how you determined the frequency of a periodic task. For example, you will need to ensure you have a risk assessment that results in defining how often you should inspect your payment terminals.
Sounds simple, right? But here’s where things get bit complex. The reason I say that things get complex here is because you might have different systems with different levels of risk. Building on that initial example of inspecting your payment terminals, you might have a combination of attended terminals which sit with one of your frontline staff. You might also have unattended payment terminals that sit out in a car park, for example. Sure, not everyone will have multiple types of payment terminals. But this just gives an example of why we might need to not just rely on a single TRA to be able to meet your PCI compliance. You might have to know enough about your environment to know when you need more than one to determine different frequencies, based on different risks.
Example of a Periodic Task
Take your payment terminals that sit with your frontline staff. If they’re behind a secured desk or there’s always somebody watching over them. Maybe there is a reason to inspect them a little bit less frequently. But what about those ones that somebody might not be watching over? What about that payment terminal that sits at the back of the car park and isn’t covered by your standard CCTV that you used to make sure that nobody is doing anything dodgy in the car park? Well, maybe these are the kind that you need to take a look at a little bit more regularly just to make sure that somebody hasn’t tampered with something that is a low hanging fruit.
And so from these two examples, what you see is that they don’t have the same risk profile. One might be much more likely to be tampered with than another. So applying the same methodology for both might not be what you want to do. That’s not to say that you couldn’t examine them all daily or multiple times a day. But you might have scenarios where you will want to consider the risk for the periodic performance of task differently based on either the system / process or the likelihood of an event occurring if there is a significant difference that you want to account for.
What’s Included in a TRA for a Periodic Task?
So what do you need to include in your TRA? You need to include:
- the assets that are being protected,
- the threats that you are protecting those assets against,
- the factors that contribute to the likelihood or impact of that threat being realised
The result is a documented analysis that determines and justifies how frequently you are performing the task in order to prevent that threat from being realised.
These TRAs need to be reviewed at least once every 12 months to make sure that they are still accurate and up to date. And that means that if you need to update them, you need to do that as part of your annual review.