The Payment Card Industry (PCI) Security Standards Council recently drafted risk assessment guidelines that assist merchants in finding potential causes of breaches in the security of their systems that store, process and transmit cardholders payment card data.

By performing these risk assessments, merchants will be able to determine what controls they should maintain in order to prevent or mitigate the risks of theft and misuse of sensitive cardholder information.

These risk assessment guidelines are not new but rather an elaboration of the existing Payment Card Industry Data Security Standards (PCI DSS) 12.1, which raises the need for the performance of risk assessments.

According to PCI DSS 12.1, merchants are currently required to perform at least an annual formal risk assessment to assist in identifying possible threats, vulnerabilities and risks that could jeopardize the security of cardholder data. However, the PCI Security Standards Council is stressing the need for continuous risk assessments, and such assessments should not be a substitute for the risk assessments as outlined by the DSS 12.1. The risk assessment must be documented and given to all relevant personnel, business partners and vendors. The risk assessment must go beyond just the computer systems that store, process and transmit cardholder information. External security measures, such as the security of the building where cardholder data is stored and processed, must be reviewed for effectiveness. Additionally, merchants must analyze the security systems of third-party processors and any other merchant services organization with which merchants share risks.

Ways to Improve the Key Elements of Risk Assessment

Develop a Risk Assessment Team

This team should be comprised of individuals from all departments of a business organization.

Build a Risk Assessment Methodology

Organizations may consider adopting an industry-standard methodology that is appropriate for their business culture and climate.

Risk Identification

The business should identify threats and vulnerabilities that could harm or weaken its cardholder information systems.

Examples of potential threats to a merchant are:

  • External hackers
Malicious individuals
  • Cyber criminals
  • Internal user mistakes
  • Human error
  • Thief or intruder trying to cause physical damage or steal assets

Some system vulnerabilities that merchants can face are:
  • Lack of proper network security, such as effective firewall and mal-ware protection
  • Weak passwords
  • Lack of user training and knowledge
  • Access permission given to unauthorized individuals
  • Weak encryptions
  • Lack of physical security
  • Disposal of storage media before deleting data

Some of the risks associated with these threats and vulnerabilities include:

  • Unauthorized access to sensitive cardholder information
  • Compromised or misuse of confidential information
  • Introduction of malicious code through web browsing or email
  • System compromise and downtime
  • Installation of rogue devices causing system downtime

In order to assist merchants with developing a stronger risk assessment, the PCI Council has developed a program called “Qualified Integrated Re-Seller.” These are technicians that are PCI-Certified and can provide assistance to the merchants on installing secure payment applications for cardholders information. These technicians are specifically trained for this service and will be placed on a list that will be given to the merchants. While businesses are not required to use such technicians, the PCI Council strongly recommends using these preferred technicians.