New from a standards body for retail data security is a guide to risk assessment. The Payment Card Industry Data Security Standard (PCI DSS) covers PIN Transaction Security (PTS) and the Payment Application Data Security Standard (PA-DSS). The PCI DSS Risk Assessment Guidelines Information Supplement is a product of the PCI Risk Assessment Special Interest Group (SIG). Banks, shops and others planning and performing a risk assessment in accordance with PCI DSS 12.1.2 can use the information supplement to help identify threats and the associated vulnerabilities that could jeopardise the security of payment card data.
PCI Special Interest Groups (SIGs) are council-led groups, that focus on addressing the need for more guidance and clarifications or improvements to the PCI Standards and supporting schemes. PCI DSS Requirement 12.1.2 requires payment card-holding retailers and others to establish a formal process for identifying threats and vulnerabilities that could negatively impact the security of cardholder data. By performing this risk assessment, businesses are better equipped to determine the appropriate controls for reducing the likelihood and/or the impact of potential threats to their business.
Bob Russo, general manager, PCI Security Standards Council, says: “As there are a number of risk assessment methodologies out there, our stakeholders were looking for guidance on how to effectively apply these principles to their organisations to meet PCI requirements. Through our community-driven SIG election process, our Participating Organisations selected this as a key focus area, and the result is a strong set of best practices to guide you through choosing the risk management approach that works best for your business.”
More than 60 banks, merchants, security assessors and IT vendors collaborated on this guidance seeking to help users understand how to identify, analyse and document the risks that may affect their Cardholder Data Environment (CDE); prioritise risk-mitigation efforts to address the most critical risks first and more effectively implement threat-reducing controls; and determine how to effectively segment environments to isolate sensitive networks (such as the CDE) from non-sensitive networks, as part of an effective scoping methodology.
The information supplement outlines the relationship between PCI DSS and risk assessments; the various risk methodologies and key components of a risk assessment, including developing a risk assessment team and building a risk assessment methodology; risks introduced by third parties; as well as the risk reporting process and critical success factors. Key recommendations include:
• Organisations should implement a formal risk assessment methodology that best suits the culture and requirements of the organisation
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organisation to mitigate such threats and vulnerabilities in a proactive and timely manner
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
Any organisation that stores, processes, or transmits cardholder data can benefit from this guidance, including merchants, service providers, acquirers (merchant banks) and issuers. As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.
“As an open standards body, SIGs are one of the many ways we’re able to tap into the brain trust that is our global community. We’re appreciative to all those involved in the Risk Assessment SIG and thank them for their valuable contributions to payment card security through this useful resource,” added Russo.
The guidance on risk assessment is the first of three current SIG projects. Guidance on ecommerce security and cloud computing will be published in early 2013. Earlier this month Participating Organizations took part in an election to choose SIG projects for 2013. Results will be shared at the end of November, with SIGs to formally commence in January 2013. For the latest updates on SIGs, visit https://www.pcisecuritystandards.org/get_involved/special_interest_groups.php.
