The PCI Security Standards Council have just released a new ‘Information Supplement’ covering the various ways in which Risk assessments are useful when conducting a PCI assessment. In particular, the requirement for an organisation to conduct a formal risk assessment on an annual basis, (requirement 12.1.2), has caused headaches for some entities striving for compliance with the standard for some time.
For those in the know, there are many methodologies that can be used to assess risk and document the findings, the only problem is…..most folks invovled in taking payments are not exposed to these methodologies on a daily basis, so they may just as well be written in ancient aramaic. Here is where the PCI supplement will come in handy. It gives an in depth description of the types of risk commonly associated with taking card payments.
Risk is dependant on many conditions, and as such is prone to change over time. This document helps to address many of the common questions that arise when conducting risk assessments and acts as a guide to developing a risk management strategy.
This document has been written by a panel of payment security industry experts, including representation from SRM Ltd, to enable organisations to gain a better understanding of the threats to their Cardholder Data environment. The basic principles are also useful to extend to the larger corporate environment.