The PCI Risk Assessment: Three Examples of When to Conduct One

Almost every day we hear in the news more details about a suspected credit card breach that puts the personal information of thousands, if not millions, of people in the hands of individuals whose only intent is to cause them harm. Naturally this raises the question of what is a PCI Risk Assessment and when does one need to be performed. First, let’s look at the requirements for a Risk Assessment and then discuss three times when one should be performed.

PCI DSS 12.1.2 outlines the process for establishing and maintaining for identifying threats and vulnerabilities and prescribes, at a minimum, a Risk Assessment be completed on an annual basis. But what are some other reasons that you would want to conduct a PCI Risk Assessment? Here are three reasons:

1. Changes to Environment – When we make changes to our card holder data environment (CDE) in any way, a thorough Risk Assessment needs to be completed. In fact, PCI DSS 12.1.3 states that an organizations security policy will “include a review at least annually and updates when the environment changes.” So what are some of the changes that would warrant a Risk Assessment be completed? The addition or removal of any hardware and/or software would be one reason. Finally, anytime that you change a process for how you collect credit card information would warrant an updated Risk Assessment.
2. Outsourcing to Third Parties – The age old question that remains to this day is who owns the data when you outsource a portion of your organization’s technology to a third party. There is great debate over this question and while there is no clear answer, best practices suggest that the company that outsources the technology and information is ultimately responsible to their customers at the end of the day. Before you outsource any portion of your CDE to a third party, conduct a thorough PCI Risk Assessment to understand what impact this might have on your organization and the credit card information that you are responsible for.
3. Transition to a Risk Based Strategy – The Risk Assessment provides you with a point in time snapshot of your current risks and mitigation strategies. Organizations should begin to make the move to a Risk Based Strategy that includes, in an ideal world, an ongoing Risk Assessment process to identify threats and vulnerabilities in a proactive manner and ultimately transition from being a reactive organization to a proactive organization.

So there you have it, three good reasons to complete a PCI Risk Assessment for your organization. For additional details and information, head over to the PCI Security Standards Council website for additional guidance, specifically the PCI Risk Assessment Information Supplement created specifically around when and how to conduct a Risk Assessment.