How to Do a PCI DSS Risk Assessment

Risk assessment.

Just hearing the words brings dread to the heart of some, while others are left with a profound feeling of boredom and confusion.

It’s hard to blame them. At some stage in their career, most people have experienced a very badly conducted risk assessment, and it’s left them scarred for life. They can’t even think about the subject without bringing back memories of tedium, bureaucracy, and frustration.

But it doesn’t have to be that way.

Risk assessments are vital to your organization’s ongoing security and done well they have the potential to uncover systems and processes that are actively putting you (or your customers’ data) in harms way.

The Tao of PCI DSS Risk Assessments

First of all, it’s important to understand what you’re actually obligated to do.

Under section 12.1 of the PCI DSS, which relates to your information security policy, the subsection relating to risk assessments reads:

“Establish, publish, maintain, and disseminate a security policy that… includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)”

Not exactly specific, but in fairness there is an official set of PCI DSS Risk Assessment Guidelines, which go into a bit more detail.

Don’t fancy reading it all right now? I’ll give you the gist.

In basic terms, the guidelines suggest that you can conduct your risk assessment in whatever way you see fit… so long as it identifies threats and vulnerabilities that could negatively impact the security of cardholder data.

With that in mind, let’s look at some of the things you could do to satisfy this obligation.

Again, It’s Not Just About Compliance

In the last article, we put forward the idea that the official requirements for PCI compliance are not the most important thing to consider.

After all, we’re talking about your customers’ data here and particularly sensitive data at that. Any loss or mismanagement of payment data is going to have significant and long-lasting consequences, so it doesn’t take much of a leap to conclude that conducting a risk assessment might not be such a bad idea.

With that in mind, the steps we’re going to suggest go beyond simply “identifying a few areas of concern so we can prove we’ve done our due diligence” and into the realms of proactive data security.

With that out of the way…

Scoping Your Assessment

Before you can dive into your PCI DSS risk assessment, you’ll need to work out who and what will be included.

Firstly, it should go without saying that people (particularly your process owners) are going to play a pivotal role in the risk assessment process. That’s why, before doing anything else, you should identify key personnel and process documentation to be involved in the assessment.

Next come your assets. You’ll need to identify all of your assets, as any one of them could potentially pose a risk to your organization.

If you’ve been following this blog for a while, you may have already read through the vulnerability management series. If that’s the case, and you’ve implemented the suggested processes, you’re going to have a big head start here.

Finally, you’ll need to identify threat actors. Simply put, this is any person or group of people that could potentially cause harm to your organization. For instance, governments could pass harmful legislation, and hackers could steal from or damage your infrastructure.

In the context of the PCI DSS, hackers are the most obvious potential threat actors but don’t be lazy here. If your assessment is going to be maximally effective, it’s essential that you take the time to fully examine possible actors.

At this point, you’ll know the scope of your risk assessment, and you can start to identify threats.

Threat Hunting

Now that you know precisely who and what is involved in your risk assessment, it’s time to start identifying threats.

Some threats, such as asset vulnerabilities, will be fairly easy to identify. As a starting point, you’ll simply take the results of your last vulnerability scan, and subtract any that have already been remediated.

But other threats will take much more thought.

For instance, are there any elements of your processes that could potentially be exploited? If there are, this constitutes a real and measurable threat to your organization. How about your key personnel? They probably have privileged access to your network, so if their account were compromised it would have serious consequences.

Think creatively here. For every person, process, or asset involved in your assessment, consider what could potentially go wrong.

Once this is done (and it will take a while…) you’ll be ready for the analysis phase.

Triple Threat

It’s not enough to simply know a threat exists. You need to analyze.

Once you have a full list of threats, you’ll need to make three calculations:

1. Probability – The likelihood that a threat will actually occur
2. Impact – The potential damage to your organization if a threat occurs
3. Risk score – How dangerous a threat is, based on its probability and impact

There are literally hundreds of different processes for measuring these variables. One method would be to simply rank each risk on a scale of 1-4 for both probability and impact, and then take an average of the two to arrive at your risk score.

For example, if a threat has a probability of 4 (very likely) and a potential impact of 2 (moderate), your risk score would be the average of those two figures: 3.

Alternatively, if a threat is very likely (4) and potentially catastrophic (4), your risk score would be 4.

These scores are important because they’ll determine the order in which you’ll prioritize risks for remediation.

Action: The Most Important Step

Just like with vulnerability management, unless you’re actually going to act upon the results of your PCI DSS risk assessment, there’s really no point.

Sure, it’s a PCI requirement, but if you’re only going to pay it lip service it’s only a matter of time before something goes seriously wrong. And at that point, compliance is going to be the least of your worries.

Once you have a prioritized list of threats, it’s time to plan your remediation phase.

Of course, there are some threats that cannot be nullified. Even if they have a risk score of 4, you’re just going to have to accept them. On the other end of the scale, some low risk threats can be accepted for now in order to keep resources free for more important remediation work.

And that’s fine. Make sure you’re aware of them and have steps in place to deal with the damage if they do become a reality.

For other threats, you’ll need to determine the best course of action… and then do it.

It will require time, effort, and resources, but this is what the whole risk assessment process has been about: ensuring your customers’ payment data is kept safely and securely.

Don’t forget, the potential cost of inaction will be far worse.