Just Published: PCI DSS v4.x Targeted Risk Analysis Guidance

Risk analysis is a foundational tool to help organizations identify and prioritize potential threats and vulnerabilities within their environment. PCI DSS v4.0 introduced the concept of targeted risk analysis (TRA) with two different types of TRAs to provide entities with the flexibility to evaluate risk and determine the security impact of specific requirement controls, as appropriate for their environment.

The first type of TRA is for any PCI DSS requirement that allows an entity flexibility about how frequently to perform a given control and where the requirement specifies completion of a TRA to define that frequency. This type of TRA provides an entity flexibility to establish how often to perform a given control based on their environment’s risk profile. 

The second type of TRA is for any PCI DSS requirement that an entity meets with the customized approach. The outcome of this TRA allows an entity to identify risks and describe how their designed controls meet the requirements’ Customized Approach Objective and provide at least an equivalent level of protection as the Defined Requirement.

To support the industry’s understanding and effective use of TRAs, the Council has recently published “PCI DSS v4.x: Targeted Risk Analysis Guidance”. Questions addressed in this guidance document include, but are not limited to:

1. How does an entity know when TRAs are required to determine the frequency of an activity?
2. How often should an entity perform a TRA to determine the frequency of an activity?
3. How is the TRA specified in Requirement 12.3.1 in PCI DSS v4.0 different from the annual risk assessment in PCI DSS v3.2.1 at Requirement 12.2?
4. What is the assessor’s role in reviewing an entity’s TRA to determine the frequency of an activity?

The guidance also includes a table that outlines each PCI DSS requirement that specifies the completion of a TRA to determine the frequency of an activity, along with guidance on recommended frequencies for the related activities.

To support the completion of each type of TRA, the following sample templates are available:

All three documents can be found in the PCI SSC Document Library and the PCI DSS v4.0 Resource Hub.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts