PCI DSS v4.0 introduced the concept of targeted risk analysis (TRA) and includes two different types of TRAs. A description of each, answers to frequently asked questions, and a table that lists the PCI DSS requirements that specify completion of TRAs to define how frequently to perform an activity are provided in this document.
For any PCI DSS requirement that specifies a TRA to define how frequently to perform an activity
The first type of TRA, specified in PCI DSS Requirement 12.3.1, focuses on those PCI DSS requirements that allow an entity flexibility about how frequently to perform a given control. This TRA provides a framework for the entity to define an appropriate frequency based on their assessment of the risk to their environment.
For these TRAs, entities will identify the specific assets—for example, log files, or credentials—that the related requirement is intended to protect, as well as the threat(s) or outcomes from which the requirement is protecting the assets—for example, malware, an undetected intruder, or misuse of credentials. Examples of factors that could contribute to likelihood and/or impact of a threat being realized include any that could increase the vulnerability of an asset to a threat—for example, exposure to untrusted networks, complexity of an environment, high staff turnover—as well as the criticality of the system components or the volume and/or sensitivity of the data being protected. The performance of a TRA that incorporates these factors ensures a robust, comprehensive, and consistent assessment of risks for each applicable asset.
All elements that must be included in a TRA for PCI DSS requirements that allow flexibility about how frequently to perform an activity are documented in PCI DSS v4.x Sample Template: Targeted Risk Analysis for Activity Frequency, which can be found in the PCI SSC Document Library. Entities documenting TRA(s) to define an activity’s frequency, while required to include all elements specified in this template, are not required to use the template or follow the template’s specific format.
For any PCI DSS requirement that an entity meets with a customized approach
The second type of TRA, specified in Requirement 12.3.2, is for any requirement that an entity meets with the customized approach. This TRA supports the implementation of a repeatable and robust risk analysis methodology specific to a customized approach and is one of several activities the entity will perform to show how it meets the Customized Approach Objective. The outcome of this type of TRA allows the entity to identify risks, evaluate the effect on security if the defined requirement is not met, and describe how the entity has determined that the controls meet the Customized Approach Objective and provide at least an equivalent level of protection as the defined PCI DSS requirement. The assessor uses the customized approach documentation provided by the entity, including in this TRA, to plan and prepare for the assessment.
All elements that must be included in a TRA for any PCI DSS requirements that an entity meets with the customized approach are documented in PCI DSS v4.x Sample Templates to Support Customized Approach (that includes sample templates for both Controls Matrix and Targeted Risk Analysis), which can be found in the PCI SSC Document Library.
Views: 17
