Targeted Risk Assessments | Know Thy Risks

By Eugene Tyrell on April 18, 2022

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Eugene Tyrell

PCI DSS v4.0 introduces new expectations about what is required when it comes to assessing risk.  In contrast to the previous version of the Standard, risk awareness is a core concept that permeates much of PCI DSS v4.0. A search on the term “risk analysis” produces a prolific 80 results. It is clear that the next generation of PCI compliant organizations will be required to have an in-depth understanding of their risks, and also have strategies to mitigate them.

On March 31st, 2022 PCI DSS v4.0 was released. Today’s post is part of series of pieces we are publishing that explore the changes to the PCI standard and provide insight into what the changes will mean for your organization. All of our posts can be found here.


 

In the savanna, lions have developed a hunting technique when they come upon a herd of the more agile antelopes. The elder lion, which is typically slow, weaker, and with dull teeth, still commands a loud roar and hides in the tall grass and bushes while the other lions spread out around the antelopes and also hide in the tall grass. The old lion roars and the antelope instinctively run away into the fiercer lions lying in wait. Game over.  

Here’s the thing,  I wonder if the antelopes better understood the risk landscape, they may have run towards the roar and trampled, or at least outrun, the older, infirmed lion.


Understanding where the risk is hiding: What’s Lurking?  


While perhaps a bit of a stretch, I can’t help but draw a comparison between
an informed antelope and the recent updates around risk awareness in PCI DSS v4.0. The new Standard emphasizes the need for a thorough understanding of risks, leading to a more robust security posture, in addition to PCI compliance.
 


For some time now, we’ve understood the importance of recognizing risk however in PCI DSS v3.2.1, understanding risks was only briefly mentioned in section 12.2 as part of an enterprise-level risk assessment.

 

PCI v3.2.1

12.2 Implement a risk-assessment process that:

  • Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
  • Identifies critical assets, threats, and vulnerabilities, and
  • Results in a formal, documented analysis of risk.

 

 

PCI DSS v4.0 introduces new expectations about what is required when it comes to assessing risk.  In contrast to the previous version of the Standard, risk awareness is a core concept that permeates much of PCI DSS v4.0.search on the term “risk analysis” produces a prolific 128 results. It is clear that the next generation of PCI compliant organizations will be required to have an in-depth understanding of their risks, and also have strategies to mitigate them. The underlying objective and emphasis are that organizations evolve risk analysis to become a mature, integrated process.

 

PCI DSS v4.0 also introduces the concept of a targeted risk analysis. As one would expect, a targeted risk analysis emphasizes the need to perform risk analysis on specific scenarios.  Requirement 12.3 states, “Risks to the cardholder data environment are formally identified, evaluated, and managed.”

 

The sub-requirements 12.3.1 – 12.3.4, expand on that further by establishing four specific scenarios where targeted risk analyses are to be performed.

 

Requirement 12.3.1: Each PCI DSS requirement that provides flexibility for how frequently it is performed (for example, requirements to be performed periodically) is supported by a targeted risk analysis that is documented and includes:

  • Identification of the assets being protected.
  • Identification of the threat(s) that the requirement is protecting against.
  • Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
  • Resulting analysis that determines, and includes justification for, how frequently the requirement must be performed to minimize the likelihood of the threat being realized.
  • Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.
  • Performance of updated risk analyses when needed, as determined by the annual review.

Requirement 12.3.1: allows organizations to determine the frequency of occurrence of a control and, to further demonstrate that the frequency is appropriate for the activity to be effective and meets the intent of the requirement. In v4.0 there are 23 controls where the entity determines the frequency of the control. Of course, with this wide-ranging flexibility comes big responsibility.  It is incumbent on the organization to build a mature risk analysis program that is repeatable and produces documented results that support its frequency decisions.   

 

Requirement 12.3.2: A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include:

  • Documented evidence detailing each element specified in Appendix D: Customized Approach (including, at a minimum, a controls matrix and risk analysis).
  • Approval of documented evidence by senior management.
  • Performance of the targeted analysis of risk at least once every 12 months.

Objective: Ensure the entity can define and support, based on a risk assessment, that the controls used to meet or exceed a requirement’s objective, where the customized approach is used.  

 A reporting template can be found in Appendix E2 “Sample Targeted Risk Analysis Template” in the PCI 4.0 standard. 

This requirement only applies to those entities using the Customized Approach. 

Requirement 12.3.3: Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, including at least the following:

  • An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.
  • Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use.
  • A documented strategy to respond to anticipated changes in cryptographic vulnerabilities.

Objective: Ensure the organization has a program that promotes “cryptographic agility,” and the entity is able to respond to vulnerabilities and design flaws in cryptographic protocols and algorithms used to protect the cardholder environment. 

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

Requirement 12.3.4: Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following:

  • Analysis that the technologies continue to receive security fixes from vendors promptly.
  • Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance.
  • Documentation of any industry announcements or trends related to a technology, such as when a vendor has announced “end of life” plans for a technology.
  • Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced “end of life” plans.

 

Objective: Ensure the entity has a program to ensure that they can prepare for, and manage, vulnerabilities in hardware and software that will not be remediated by the vendor or developer.  

This requirement is a best practice until 31 March 2025, after which it will be required and must be fully considered during a PCI DSS assessment.

 

 


Where we go from here. 

In the new Standard, risk analysis is outlined loud and clear. Organizations are now required to understand their risks by incorporating formal, repeatable, and specifically targeted risk assessments into their overall compliance program. This discipline is a welcome step forward that, when done correctly, will significantly contribute to an organization’s security posture. 

 

Note: It should be noted that an enterprise-wide level risk assessment, as was part of PCI DSS v3.2.1, is still recommended to determine broader and emerging threats. This should be conducted as a part of the overarching risk assessment program.  

 


Online is ready to assist you in developing your PCI program, helping unpack what the v4.0 changes will mean for your organization, and then designing a compliance roadmap to get you there. For additional insight and guidance from Online’s QSA team, explore our digital PCI DSS v4.0 Resource Center, where we have identified and dissected many of the significant changes and new requirements in the latest release of the PCI Standard.

Submit a Comment

Get latest articles directly in your inbox, stay up to date