PCI DSS requires you to regularly understand and review the risks that are applicable to your environment. There area number of different ways that you can understand and document your risks, including OCTAVE, ISO 27005, and NIST SP 800-30. This article explains one way that you can approach understanding and documenting your risks, but you should make sure that the method you use fits your organisation and is useful.
Risk assessments may need to be carried out at different levels because a business risk assessment is likely to be very different from a technical risk assessment. PCI risks cover both organisational and technical risks.
When Do You Have to Do A Risk Assessment?
Requirement 12.2 requires that you complete a risk assessment :
- At least annually, and
- Upon significant changes to the environment (for example, acquisition, merger, relocation, etc.)
Other examples of significant changes that might require a risk assessment could include significant changes to your architecture (for example, migrating to the cloud) or adding new payment channels.
Risk assessments are just one part of significant changes.
How Do You Perform a Risk Assessment?
Step 1: Define Your Process
Our example here uses a modified approach based on NIST SP 800-30. You might have a different process. This is just one example of how you might conduct a risk assessment and the steps you might follow. Remember, whatever process you follow, you need to have the process and the outcome documented for your organisation.
- Identify and document your critical assets, including people, technology and data.
- Identify and document threat sources, including both internal and external threats.
- Identify and document the vulnerabilities in your environment related to the people, processes, technology, and data.
- Determine and document the likelihood of the event occurring. This could be based on the frequency of the event occurring or based on the likelihood of it occurring during a set timeframe.
- Determine and document the impact if the risk occurs. This could be the financial impact, the impact to compliance, or another impact that applies to your organisational goals.
- Determine and document the controls that apply to each of the risks and how they can mitigate the risk.
- Determine and document the resulting residual risk after the controls have been applied.
- Assign the risk owners.
Step 2: Conduct the Risk Assessment
If you feel like you’re at a loss for how to start your risk assessment, NIST SP 800-30 provides a great starting point in Appendices D through I for risks that should be considered. Do you have to consider all of the? Absolutely not! You should be focusing on the threats and vulnerabilities that apply to your environment and the risks that your organisation actually faces. Follow your process and start documenting the risks that apply to your business.
There are a few specific risks that we would recommend considering as part of your risk assessment.
Risk of Non-Compliance
It seems obvious that there is a business risk if you are unable to demonstrate compliance with PCI DSS. In most cases, you have a contractual obligation to your bank to be PCI compliant. The result of non-compliance could include revoking your ability to process card transactions, extended remediation times and costs, and even fines imposed by the card brands. But understanding the results of non-compliance does not help address the root cause. Non-compliance could be caused by a lot of different things, including staff turnover, hardware or software going end of life or becoming non-supported, or missing standard BAU processes required by PCI, the non-compliance of service providers. While it’s useful to understand the result of non-compliance, addressing the potential causes is vital.
Logging and Monitoring
As part of the logging and monitoring requirements, you need to be considering how often you review logs that are not part of your daily log review. While some logs have to be reviewed daily, other logs can be reviewed less frequently. But these logs and the frequency of the reviews need to be considered as part of your risk assessment.
Other Areas to Consider
Other areas to consider for your PCI risk assessment might also include:
- Review of cryptographic algorithms and ciphers used to protect cardholder data to ensure they are considered strong.
- Review of insecure services and protocols used in the cardholder data environment.
- How frequently to conduct device inspections for card-present / retail staff.
Step 3: Assign Risk Owners
If nobody is responsible for managing your risks, you add a new risk that nothing will happen to address them. To manage risk effectively, someone needs to take responsibility for each. Not every risk can be mitigated, but every risk needs to have an owner.
Step 4: Track Your Risk Over Time
If you want to effectively understand how your risks are changing and how effective you are at managing your risks, you need to track your risks over time. This gives you a better understanding of what risks are increasing and which are decreasing and helps allocate your resources better. For example, you might have a very low risk of systems being unsupported right after you purchase them, but the risk of them being unsupported increases over time.
Need Help with Your Risk Assessment?
If you need help conducting your risk assessment or need an independent view on what your risks might be, contact us and find out how Confide can help.