Solutions The best route to security compliance
Platform A powerful suite of ISMS features
Resources Everything you need to know
Knowledge Base Learn more about infosec
Company Security and customers first
Hicomply I
Hicomply app

PCI-DSS Risk Assessments

Security compliance is an ever-changing landscape, with new threats popping up constantly. This makes it increasingly difficult for businesses to remain on top of any vulnerabilities – highlighting the need for a PCI-DSS risk assessment.

A PCI-DSS risk assessment helps you to identify and act on new and existing threats on your cardholder data environment by using a tried-and-tested method.

Is a risk assessment required for PCI compliance?

According to PCI Requirement 12.2., a PCI-DSS risk assessment is required to remain security compliant. This requirement states that it is mandatory for relevant businesses to ensure all assets, threats, and vulnerabilities are identified so that a formal PCI-DSS risk a

This requirement states that relevant organisations must have a process in place to identify all assets, threats, and vulnerabilities. This means conducting a formal risk assessment through one of several different approaches. The PCI-DSS risk assessment requirements specify the following methods:

  • ISO 27005
  • OCTAVE
  • National Institute of Standards and Technology (NIST) Special Publication 800-30

Why are risk assessments important?

PCI-DSS risk assessments are not just important for maintaining compliance. When your business performs regular risk assessments, you can continuously monitor for threats and vulnerabilities – giving you a much clearer view of your overall security landscape.

As security risks are constantly evolving, something that may not have been an issue last year could be a major problem in the present due to changes in the environment. A PCI-DSS risk assessment keeps you aware of these changes so issues can be tackled quickly and effectively.

How to conduct a PCI-DSS risk assessment

Your PCI-DSS risk assessment should be made up of five core steps listed below;

  • Scoping your assessment
  • Identifying potential risks
  • Analysing your risk levels
  • Establishing a strategy
  • Documenting your strategy

Step 1: Scoping your assessment

To begin the PCI-DSS risk assessment, you will need to scope all relevant areas of your business to ensure every potential issue is found – it’s important not to cut any corners. Your PCI scope will need to include all assets included in your cardholder data environment (CDE).

This may be a wider scope than you’d initially expect. There will be several people, systems, and technology involved in your business’ payment process that could potentially impact the security of the cardholder data.

You will need to consider many different factors when completing the scope ahead of the PCI-DSS risk assessment. One of the easiest ways to do this is through mapping the flow of the payment process from start to finish – helping you understand exactly how it works in the

The way your business consumes cardholder data will need to be assessed, as well as how it is processed and transmitted through the CDE immediately afterward. It’s also important to include who in your company has access to the cardholder data, and whether these people (or even computer systems) could potentially impact the CDE.

Step 2: Identify potential risks

Once you’ve mapped out every area that will need to be examined as a part of your PCI-DSS risk assessment, you will need to test the environment for vulnerabilities and issues. This may seem like quite a daunting task initially, but sectioning off the risks into categories allows you to tackle the PCI assessment process in a more straightforward way.

Vulnerabilities, threats, and risks could arise in the following forms:

  • Digital risks: These could include weak passwords or flaws in the software.
  • Physical risks: Retaining physical copies of cardholder data can pose a threat.
  • Internal threats: Employees who aren’t appropriately trained may increase the risk of a breach.
  • Negligence: Could an unknowing employee make a mistake that puts the data at risk?
  • Intentional threats: Could a disgruntled former employee leak vulnerable information?
  • External threats: Hackers may use vulnerabilities as an opportunity to launch a cyber-attack.
  • Environmental issues: Acts that are out of the business’ hands, such as fires, that could compromise the safety of cardholder data.

Step 3: Analyse your risk levels

The next step in your PCI-DSS risk assessment is to analyse each threat so they can be ranked on severity – this is known as the ‘risk level’.

These risk levels are based on both the likelihood and potential impact on your organisation. The levels are usually simple - just ‘high,’ ‘medium,’ and ‘low’ risk. This will then allow you to prioritise actions based on the urgency of the threats.

Consider these two aspects when ranking your vulnerabilities:

  • Risk likelihood: You will first need to consider how likely it is that a threat would come to fruition.
  • Risk potential: You will also need to assess how much damage the threat could do to your organisation.

Creating the risk level system is a crucial element of your PCI-DSS risk assessment as this will essentially form your risk management strategy. 

Step 4: Establish your risk management strategy

Once you’ve created your risk level system, you can begin to build your strategy. You may want to appoint a team to own this process, regularly documenting their findings for future reference.

It’s important to note that not all risks can be removed completely, so the strategy must consider how the security controls can be evaluated and implemented to reduce the risks to a more manageable level – known as residual risk.

Once you’ve established how the risk mitigation process works and tracks information, you can then apply the necessary security levels to address the highest-priority risks. Once this is completed, you will then need to continue to monitor how successful this has been and whether any emerging risks have been missed.

Step 5: Document your risk assessment

Once you’ve completed your risk assessment, you will need to create a formal report made up of all your findings, including details on each issue or vulnerability found and how these have been tackled.

The report should be split up into the following sections:

  • Version history: The author of the document and the date the assessment was completed
  • Executive summary: A summary of your organisation’s security compliance status both before and after the assessment 
  • Risk assessment scope: An overview of your company and its cardholder data environment
  • Risk assessment approach: An outline of how your organisation conducted the risk assessment, including methods used to categorize and prioritise issues
  • Asset inventory: A list of the assets included in your assessment
  • Threats: A list of threats discovered that could potentially impact your assets 
  • Vulnerabilities: A list of vulnerabilities discovered that could be taken advantage of by existing threats to impact your CDE
  • Risk assessment results: A list of categorised risks and the actions that will be taken to mitigate these

How often should you conduct a PCI-DSS risk assessment? 

To remain compliant, you will need to conduct a PCI-DSS risk assessment at least once a year. You will also need one if there have been any significant upgrades or changes to your CDE security system, such as additional staff gaining access or modifications to the program. This will help to address any necessary vulnerabilities before a threat can present itself.

Compliance as you work with Hicomply

A PCI-DSS risk assessment requires your business to stay on top of a lot of documentation and any mistakes made could cost you compliance. This is why Hicomply’s full-service ISMS platform allows you to access all your information in just one place.

By removing any additional stress during the security compliance process, your company can focus on the things that are more important to you. Get in touch today for more details.