The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controls designed to ensure that organizations that accept, process, store or transmit payment card data do so in a secure manner. One of the key changes in the latest version, PCI DSS 4.0, is the increased focus and emphasis on risk management and recognition that strict adherence to controls does not necessarily address the various levels of risk present within an organization.
Risk management is the process of identifying, assessing and managing risks to an organization’s assets, which include its payment systems, the security systems connected to those payment systems and the organization’s cardholder data. The goal of risk management is to help organizations identify and understand the risks they face and take appropriate steps to mitigate those risks. By taking a more proactive approach to risk management, organizations can better protect their payment systems and cardholder data which should result in lowering the risk of data breaches and/or fraud.
PCI DSS 4.0 places a much stronger emphasis on risk management than any previous version of the Standard, requiring organizations to identify, assess and actively manage risks to their cardholder data environment (CDE). This increased emphasis on risk management is a direct result of the evolving threat landscape in the world today, which requires organizations to anticipate risks and proactively prevent threats. The new Standard requires organizations to:
- Develop and maintain a formalized risk management program that is integrated into their overall security program. This program should include regular risk assessments (targeted risk assessments when required or, as determined to be necessary based on the organization’s industry and environment) which identify and prioritize an entity’s risks and inform its security practices.
- Implement a continuous monitoring program that is designed to detect and respond to changes in the threat landscape, as well as changes in the organization’s own systems and processes. This program should include regular vulnerability scans and penetration testing, at a minimum, as well as other targeted forms of testing to ensure the organization’s security controls are not only in place but operating effectively and continuously.
- Conduct regular security awareness training for all personnel who have access to the organization’s payment systems or cardholder data. This training should be designed to help employees understand the importance of security, the risks they are exposed to through the course of performing their daily job duties, and the steps they can take to protect the organization’s assets and their customer’s cardholder data.
- Implement controls that are designed to manage risks to the organization’s payment systems and cardholder data. These controls should be based on the results of the organization’s risk assessments and should be designed to mitigate the risk, beginning with the highest-priority risks first.
By prioritizing risk management, organizations can effectively take more control over the security of their assets and can rest better at night knowing the right reactive controls are in place in the event that a breach does occur. The increased emphasis on risk management in PCI DSS 4.0 sends a strong message for organizations to be more forward-looking and agile in the face of evolving threats. As threats continue to evolve, so should your risk management program.
For more information or to connect with a Frazier & Deeter QSA, please contact:
Mindy Milliet, Partner, PCI | mindy.milliet@frazierdeeter.com
Aaron Getchius, Director, PCI | aaron.getchius@frazierdeeter.com