PCI DSS Requirement 12.2 requires all organizations to conduct an annual formal risk assessment to identify vulnerabilities, threats, and risks that specifically concern the cardholder data environment (CDE). Risk analysis requirement helps organizations identify, prioritize and manage information security threats.
Organizations that adopt a proactive security approach should develop a risk management plan to identify sensitive assets, assess vulnerability risks to those assets, and minimize these risks.
Enterprise Risk Management can take many forms. Risk management will play a critical role in most cases, depending on the size and nature of an enterprise. Business risk management requires careful consideration, both from a regulatory and due diligence perspective.
It is essential to analyze and evaluate the risks that may affect the confidentiality, integrity, and accessibility of the enterprises’ information systems and take appropriate actions. It is possible by planning and implementing IT Risk Management processes to virtually eliminate the risks that may occur.
IT Risks must be accurately analyzed and identified, and effectively managed. Risk methodology should be prepared appropriately in the studies. There must be no deviations in the preparation methods.
Businesses find it very difficult to analyze and evaluate their risks within their existing structures. Employees trying to manage their risks in companies cannot keep their knowledge up-to-date because technological developments, vulnerabilities, and threats always change, and different vulnerabilities occur. It is the best method to get support from external institutions as the third eye with an objective perspective.
When analyzing IT Risks, it is essential to explore the IT-related units and departments and the entire corporate system and operation. The possibility that a potential vulnerability in other teams may pose a risk to IT should not be overlooked. Information Technologies Units should take an active role in determining and implementing the security strategy.
What is PCI Risk Assessment?
Risk analysis is a detailed examination of identified risks with mid-level managers and employees who have detailed information about the business line and have responsibilities for the business line’s continuity. Potential participants could be business continuity team members, department/unit team leaders, technical experts, business managers, and project managers.
Risks related to information systems values are analyzed to determine how they will be controlled and managed. As a result of this analysis, not only primary and permanent (inherent) risks are evaluated, but also prolonged or residual risks (configuration and change controls or not using processes, etc.) are examined. Risk analysis is a study in which the values of information systems affected by business processes are thoroughly evaluated.
Creating a risk assessment or risk analysis is a method that examines potential vulnerabilities, threats, and risks to your company’s cardholder environment. Most companies are not sure where to start developing a risk assessment, but the risk assessment is more straightforward than expected.
The risk assessment should address the information system values classification’s appropriateness and whether appropriate controls have been applied. Information systems risk assessment is an essential part of risk management and business continuity and security planning. Risk assessment calculates business process dependencies and affected values in risk formation.
Why Do You Need to PCI Risk Assessment?
PCI DSS expects you to conduct a formal risk assessment, at least annually. A proper risk assessment will include a report that classifies the hazards and identifies remedies for improvement.
Risk management also offers you a systematic approach to monitoring and managing the company’s most critical threats. After the risks are identified, they are graded, and the necessary resources are allocated to reduce these risks.
Risk analysis should not be done solely to meet the PCI DSS requirement. A risk assessment is a systematic method used by organizations to identify risks and vulnerabilities that could adversely affect cardholder data protection, as required by PCI DSS.
Before any organization moves on to PCI Compliance, it must meet formal risk assessment requirements. Risk analysis provides an approach to analyze the current security posture of the environment, address current issues, and identify what might be wrong in the future because risks are dynamic. Those relevant today can be made irrelevant tomorrow.
The PCI risk assessment activity aims to eliminate blind spots and provide clarity through appropriate threat analysis. Based on threat intelligence, the client will be provided with actionable insight that best fits his environment.
How to Define Risk?
Risk is defined and measured using the probability multiplied impact formula. Risk can be defined as the potential to be open to harmful activity. Threats, weaknesses, impacts, and likelihood are components of risk.
Information systems risk is the potential of losing automation systems, networks, or other critical IT resources in a way that adversely affects business processes.
Risk management policies and documents supporting these policies should be established to identify, analyze, and monitor risks successfully. Establishing a risk management committee is one of the preferred methods to create risk management awareness and create and share a risk protocol suitable for the organization.
Due to the increasing dependence of organizations on data and information technology infrastructures, many organizations adopt the approach of addressing IT risks within business risk management strategies.
It is seen that the organizations work on the following subjects;
- Feasibility studies regarding the expenditures required to reduce the risks for information values
- Determining information values risks by business risks
- Costs required to manage information values risks
- Effectiveness of current risk management
- To be able to make comparative evaluations in its sector.
Evaluating a possibly numerical value will help to rank the different risks. You will need to prioritize and correct the hazards that cause your company the most damage.
Risk management is the process of taking action to identify, evaluate and reduce the risk to an acceptable level. It is possible to fulfill information systems risk management with five essential functions, each of which is of different importance but affects and supports each other;
- Risk Identification
- Risk analysis
- Risk assessment
- Risk Response
- Monitoring Risk Management
The information systems risk management process should establish communication between services and business units, be organizational, structured, and repeatable, prone to international best practices, and controllable by internal and external teams that have an audit on this issue.
IT risk areas can be expressed as follows;
- IT management and strategy risk: The risk that IT will not work as a business-related unit due to IT strategies not being compatible with business strategies and not being shared.
- IT skills and technological development risk: IT risk will fail to realize innovations that will keep business units among the industry leaders and improve their business capabilities.
- IT architecture risk: The risk of not having an effective, standard, and sustainable infrastructure that will support the needs of IT business units to be efficient, cost-effective, and well-controlled.
- Business continuity risk: The risk of IT not being able to maintain critical operations and processes
- Compliance risk: The risk that IT will not be able to provide support to meet legal regulators’ requirements.
- IT resources risk: The risk of IT’s inability to manage its human and financial resources with proper preparation and planning.
- Supplier management risk: IT organizations risk not correctly engaging with procurement, outsourcing, and service providers.
- 3rd party relationships risk: The risk of business environment and information being shared by 3rd party persons and organizations
- Project development risk: Risks arising as a result of poor IT project planning and management
- Risk of making changes: The risk of not being able to change the technology environment appropriately
- IT reputation and customer satisfaction risk: the risk of IT not being able to adequately meet business requests, service level agreements, and IT support.
- Information risk: The risk of not managing and storing sensitive and vital business information properly.
- IT security risk: The risk of IT infrastructure and resources being vulnerable to threats
- Online / Web risk: The risk of IT failure to maintain its web presence
Risk management planning should aim to monitor and control threats and vulnerabilities to mitigate their potential impacts. To manage risks, it is necessary to know what the priorities and risks are. For this reason, acceptable risk tolerance and appropriate controls should be defined, taking into account the significance and the effects that occur when risks occur.
Policy, procedure, guidelines, and standards should be developed to define roles and responsibilities and provide guidance and instructions. Threats, weaknesses, and impacts on information systems values are not fixed and change over time.
For this reason, all definitions should be created in a repetitive structure to evaluate threats, weaknesses, and potential impacts not only once but in a repetitive order.
The main issues that determine an effective risk management process are;
- Access, authentication, authorization control
- Organizational structure
- Incident management
- IT policy management
- Audit / Evaluation
- Training and awareness-raising
- Operational design
- Value inventory creation, classification, and management
Risk determination assesses the (known and potential) threats, liabilities, and vulnerability to attacks with business leaders.
Department managers, CFO (Chief Financial Officer), Human Resources Manager, Information Systems Manager, CIO (Chief Information Officer), Legal and Internal Audit employees, although it varies according to the size of the organization, organizational structure, and defined roles, be able to be an Information Security Manager and Risk Manager.
Information systems resources and data should be identified and classified according to their impact on the business. This functional area supports risk management and disaster recovery plan by knowing and properly prioritizing all information systems resources. Resource owner and subject expert are defined to be used as reference points for resources.
Risk records should be created as a result of risk determination studies. Risk records should include a risk number, the owner of the risk, the class of the risk, the explicit statement of the risk, and the value of the risk (high, medium, low, etc.). During risk assessment studies, techniques that can be used include incident analysis, threat modeling, vulnerability analysis, scenarios, and brainstorming.
Which Risk Management Standards Can You Use?
The risk management methodology to be used will depend on the specific environment in which the company operates. The PCI Security Standards Council recommends using risk management methodologies generally accepted by the industry.
ISO27005, NIST (National Institute of Standards and Technology) 800-30, and OCTAVE (Operational Critical Threat Presence and Vulnerability Assessment) are industry-accepted and widely used risk management methodologies.
ISO27005 is part of the ISO 27000 series and fully supports the specific definition of the 27001 standards for information protection. It’s a big part of measuring and evaluating what you have as part of the risk rating process. Before assessing a risk-based on probability and impact, you need to understand what you have.
Another industry standard, NIST 800-30, is based on federal specifications. NIST defines risk management as the way companies identify, measure, and prioritize risk.
OCTAVE, a member of the CMU (Carnegie Mellon University) Software Engineering Institute, also offers a widely accepted risk management approach. OCTAVE approaches are characterized as a “self-directed, scalable and advanced” approach that uses inter-organizational teams collaborating with IT to solve information security risks.
Formal risk assessment serves to get the overall business picture and determine which resources to prioritize according to risk ranking. Viewing the annual risk assessment as an ordinary item on the checklist is a weak approach to information security. Remember, without risk analysis; you cannot protect your company against threats you do not know about.
What are the PCI DSS Risk Assessment Requirements?
According to the 12.2 requirements of the Payment Card Industry Data Security Standard (PCI DSS), any organization that processes, transmits, or stores payment cards should implement a risk assessment process at least once a year and when there are significant changes in the environment.
The risk assessment process should identify sensitive assets, risks, and vulnerabilities and their possible effects on the cardholder data environment. A systematic, recorded risk analysis should result from the risk evaluation.
Using vulnerability assessment reports, penetration test reports, and professional security assessments, organizations can define these vulnerabilities. In order to reduce these vulnerabilities, the PCI DSS risk assessment also provides businesses with remediation techniques to incorporate risk management strategies.
Since the PCI DSS standard was first introduced, vendors have been required to conduct risk assessments. OCTAVE, ISO 27005, and National Institute of Standards and Technology (NIST) Special Publication 800-30 are cited as risk assessment methodologies in the PCI DSS standard. However, the PCI DSS standard does not specify the process companies should use to make risk assessments.
Conducting a risk evaluation helps to provide feedback on which vulnerabilities a business should first resolve.
An organization can conduct the following according to the PCI DSS risk assessment requirements:
- Conduct a risk assessment once a year or when significant changes are made to the cardholder data environment.
- Perform a thorough risk assessment before outsourcing the cardholder data environment. It would help if you also considered the impact of outsourcing on organizations and credit/debit card information.
- Identify all vulnerabilities and threats to both primary and secondary critical assets.
- Document the results of the risk evaluation of the PCI, describing all risks during the risk evaluation.
- Have an appropriate risk reduction or treatment plan to deal with any emergency.
- Protect your critical assets from any future threats.
- Detect vulnerabilities and fix vulnerabilities promptly to reduce the chance of a vulnerability being exploited.
- All critical assets that may directly or indirectly affect the cardholder data environment’s security must cover all payment channels in the risk assessment.
Five Steps to Do a PCI Risk Assessment
Conducting a risk assessment is the first step towards compliance with PCI DSS. You know that you need to comply with the PCI DSS, but starting with a risk assessment is the right step if you do not know where to start.
1. Map Your Card Data Flow
If you do not know where sensitive credit card data is located on your systems, you cannot secure your credit card information. You need to know where your card data is stored, processed, transmitted, and backed up. To do this, you must create a data flow diagram for your card data.
While creating your card data flowcharts, you should review your business processes and check the following locations:
- Where card data enters your organization
- Where your system processes card data
- Where card data leaves your environment
- Where your system stores card data
2. Identify Vulnerabilities, Threats, and Risks
You need to identify issues within the company, including vulnerabilities, threats, and risks.
Vulnerabilities are loopholes in your defense that could lead to a breach incident. Exposure is a structural, design, implementation, or lack of internal control. A vulnerability could be a flaw in your building’s architecture that could lead to card data being stolen.
There are basic types of vulnerabilities, organizational and technical. Organizational shortcomings can include ineffective or non-existent policies and procedures. Technical deficiencies may consist of errors or limitations in the production and implementation of information systems.
Organizational and technical security flaws include:
- Operating system software problems
- Lack of security policy
- Incorrectly configured firewalls
- Incorrectly coded website
The threat is the potential to trigger a weakness. Threat types can vary from environment to environment. Some bad examples are as follows:
- Hackers who download malware to your system
- Power outages
- Work partners
- Chemical leakage
Risks measure the possible impact on the company and customers of the likelihood of a particular threat exploiting a specific vulnerability.
Risks are the likelihood of a threat exploiting a vulnerability and resulting in a security breach. According to PCI, the risk is not a specific factor or situation. It is a combination of factors or actions that could harm the company if trouble occurs.
A device that enables weak passwords, for instance, is vulnerable to attacks. The threat is that a hacker can crack the password and enter the network. The risk is that your device will store unencrypted cardholder data.
3. Analyze Your Risk Level
It would be safer if you discovered the threats your business could have. By prioritizing the risks you have identified, you will evaluate what needs your organization to focus most. When assessing the level of risk, consider the following:
- Likelihood of occurrence: What is the probability of occurrence of the risk you identified? For example, a hurricane has less impact on organizations in Colorado than it does in Florida.
- Potential Impact: How will your organization be affected by the risk you identified? For example, a computer screen displaying card data inadvertently may have less impact than malware targeting your Wi-Fi.
A risk level should be given to each vulnerability and threat, such as high, medium, and low. Setting risk levels allows you to create a list of security issues as priorities.
4. Create Your Risk Management Plan
You now have a list of possible risks for your company. Now you have to decide whether to deal with these threats or not. This method consists of three main steps:
- Plan how security controls will be evaluated, prioritized, and implemented.
- Apply the appropriate security approach to tackle the highest risk areas.
- Check the security measures you have put in place and watch out for new risks.
When designing a Risk Management Plan, you should explain how you manage potential risks and solve protection.
Finding every flaw in your organization on your own is complicated, if not impossible. You can raise your security maturity by performing additional checks such as:
- Internal and external vulnerability scans: Perform automated vulnerability tests inside and outside your network.
- Penetration tests: Perform hands-on penetration testing to find weaknesses and vulnerabilities of your systems and processes.
- Gap Analysis: Gap analysis advises where protection and compliance gaps are and the next steps.
5. Create Documents Required for PCI DSS
The central part of your risk assessment is to create the necessary documents and reports. Unless you document the precautions, you cannot prove to the PCI QSA that you have conducted a risk assessment. Be sure to record your daily progress in resolving these precautions and the risks you listed.
PCI DSS recommends that the risk assessment should provide a formal written risk assessment report. To ensure that the risk assessment process is carried out at least annually, PCI audit procedures require QSAs to review risk assessment guidelines, so this risk analysis report is truly a must.
Compliance experts should pay particular attention to what the council suggests to include in the report:
- Scope of the risk assessment
- Asset inventory
- Risk assessment
- Risk treatment
- Version history
- Executive summary
As with any suggestion from the council, it would be wise for traders to follow this format in their organizations, perhaps even as far as labeling the sections that contain these headings word for word.
Establishing a risk assessment is one method, but securing the company is worth it. Risk analysis is the first step to ensuring your company’s safety, so make sure you do it right.
Key to Success in Risk Assessment
Today, all kinds of developments are becoming more dependent on the internet and information technology systems. As a result, the risks on the systems are more recognized and seen as necessary. Security gaps or errors in information systems lead to severe business crises and reputational losses. For this reason, many regulatory organizations impose new compliance obligations.
The question that the members of the company’s Board of Directors would like to hear the answer to is evident worldwide; How can we reduce risks on information systems and increase return on investment. The response to the question lies in looking at risks to information systems within the management of business risk.
Information technology risks should be identified, measured, and managed as part of all organization risks. The approach applied to manage and balance information risks is called information technology risk management.
A successful risk management program depends on the top management’s responsibility, the full support, participation of the information technology team, the competence of the risk assessment team, and the organization’s members’ awareness and cooperation.
The risk assessment team should apply risk assessment methodologies to the determined systems, identify critical risks, and propose cost-effective practices that fit the organization and meet the needs. Organization members will contribute to the risk management process as long as they follow the defined procedures and comply with the applied controls.
A risk assessment for PCI DSS compliance should be done at least once a year and after significant network changes. The risk assessment will also help guide you on which security vulnerabilities you should fix first. Addressing the vulnerabilities will increase the time an attacker can exploit the system.
Tracking the activities of systems consistently throughout their life cycle is an enormous challenge. Systems and processes need to evolve because risks are also changing. Besides, misunderstandings about the concept of risk assessment lead to distortion of an assessment practice that does not serve a real purpose.
Only conducting a formal risk analysis meets the specific requirements of some compliance standards. However, this does not protect you from outside risks.
Risk assessments can be a lengthy process, so start by finding and resolving the most critical vulnerabilities in your organization and repeat the process for medium and low-risk risks. Then decide and record the appropriate steps in your risk management plan to protect your network.