On November 16th, 2012, the PCI Security Standards Council released an information supplement to the Payment Card Industry Data Security Standard (“PCI-DSS”) titled “PCI DSS Risk Assessment Guidelines” (the “Guidelines”). The Guidelines were authored by the Risk Assessment Special Interest Group (“SIG”) – a group of more than 60 organizations representing banks, merchants, security assessors and technology vendors. The Guidelines provide guidance and recommendations for performing a risk assessment in accordance with PCI-DSS Requirement 12.1.2. According to the Guidelines, the document does not “replace, supersede, or extend” any PCI-DSS requirements. Nonetheless, the Guidelines are a necessary read for any organization that stores, processes or transmits cardholder data.
PCI-DSS Requirement 12.1.2 requires organizations to establish as a part of their security policy, a formal annual process that identifies threats and vulnerabilities, and results in a formal risk assessment. The Guidelines provide an overview for understanding the relationship between PCI-DSS and risk assessments, along with a discussion of the overall benefits an organization may recognize from conducting a formal risk assessment. The Guidelines also discuss several industry-standard risk methodologies that are available to assist organizations to develop their risk assessment processes (e.g., ISO, NIST, and OCTAVE). Organizations are advised that they may choose to incorporate and adapt any of the formalized risk assessment methodologies to the culture and requirements of their organization to ensure their particular risk objectives are met. The Guidelines address the essential components of a risk assessment methodology, including “Risk Identification,” “Risk Profiling,” and Risk Treatment/Acceptance.” As a part of the risk assessment, it is suggested that organizations produce a report containing the scope of the risk assessment, an asset inventory, a list of threats, a list of vulnerabilities, and a risk evaluation.
Particular attention is given to the inclusion of applicable third parties in a risk assessment. The Guidelines note that risk assessments are “essential to understanding the level of risk that could be introduced to the organization by conducting business with third-party merchants and/or service providers.” To identify third parties that may be relevant to a risk assessment, the Guidelines recommend that an organization “study their [cardholder data] flows and any business processes involving [cardholder data].” In addition, the Guidelines recommend considering third parties “involved in the development, operation, or maintenance of their [cardholder data environment],” including application developers, data-center providers, web-hosting providers, data-storage providers, data/media/hardware-destruction service providers, managed services providers, outsourced operations teams (e.g., call centers), and contractors. While not specifically mentioned in the Guidelines, cloud service providers would certainly seem in scope if they process, store, or transmit cardholder data. The Guidelines advise organizations to re-evaluate relationships with their third party merchants and service providers as a part of their annual risk assessment.