PCI DSS v4.0: Targeted Risk Analysis

Alastair Stewart
|
Senior Consultant at URM
|
PUBLISHED on
4 Jun
2024

The Payment Card Industry Data Security Standard (PCI DSS) has always had a fairly distant relationship with risk assessments and risk in general.  It has never been a risk-based standard, as it was developed to address specific threats to cardholder data.  In fact, in previous versions of the Standard, the PCI Security Standards Council (PCI SSC) has only stipulated one requirement that covered risk assessments, and that was to simply state organisations should perform an annual risk assessment to address any risks above and beyond those covered by the Standard.

This has all changed, however, with PCI DSS v4.0, where risk appears in several place in the Standard.  The concept of targeted risk analysis (TRA) appears throughout the requirements with the inclusion of two different types of TRAs.  

Following on from our blogs on PCI DSS v4.0: Network Security Controls and on PCI DSS v4.0: Forced Password Changes and Zero Trust Architecture where we explored smaller, but still impactful changes in PCI DSS v4.0, this blog will explore the updated PCI DSS requirements around conducting TRAs.

What is a Targeted Risk Analysis (TRA) in PCI DSS v4.0?

TRA refers to the process of identifying, assessing, and prioritising security risks that are specific to a particular organisation, system, or environment.  Unlike generic risk assessments,  a TRA focuses on the unique risks and vulnerabilities that are pertinent to an organisation's operations, infrastructure, and compliance requirements.  By tailoring risk analysis to specific contexts, organisations are able to gain deeper insights into their security posture and make informed decisions to mitigate risks more effectively.

Targeted Risk Analysis (TRA) Diagram

The first type of TRA that crops up in v4.0 of the PCI DSS is to be used by organisations to define how frequently they perform a required activity.  Many of the PCI DSS requirements simply state that a certain compliance activity should be performed ‘periodically’.  For example, Requirement 5.3.2.1 states that if periodic malware scans are performed, the frequency of scans is defined in the entity’s TRA.

In these cases, a TRA is required to justify the frequency interval that is chosen to ensure that the risk is reduced to an acceptable level, and that excess risk isn’t introduced by simply picking an arbitrary interval.  The format of this TRA can be defined by your organisation, however the PCI SSC does provide an example template that includes details such as the asset being protected, the threat impact, the threat likelihood, when the TRA should be reviewed and other details.

These activity-frequency TRAs are not particularly challenging unless you lack experience in performing risk assessments and the principles that underly a successful risk assessment.  For organisations that have not dealt with risk in any formal capacity before, there needs to be a period where you develop an understanding of the basics of risk management before the TRAs can be completed.

The second type of TRA is to be used when an organisation is adopting the customised approach to meet a PCI DSS requirement or group of requirements, and this is a much more detailed risk assessment.  As such, organisations need to be mature and experienced in their risk management processes.  Again, a sample template has been provided by the PCI SSC, but this is much more in-depth than the other TRA template and includes a number of fine details, such as likelihood of mischief occurring, reasons for mischief occurring, how your control affects those likelihoods, detailed impact analysis, executive management review process, and much more.  These types of TRA are not for the faint hearted, and much like the prospect of utilising a customised approach itself, they should only be used by organisations that are risk mature and confident in their risk processes.

What are the reasons for and benefits of using TRAs to comply with PCI DSS v4.0?

One of the key benefits of TRA within the PCI DSS v4.0 framework is the ability to align the periodic requirements with the organisation's business objectives, processes, and systems.  By assessing risks specific to the payment card environment, organisations can identify vulnerabilities and threats that pose a direct threat to cardholder data security and ensure they are addressed adequately.

TRA allows your organisation to make informed, risk-based decisions when implementing security controls and measures.  By prioritising risks based on their potential impact and likelihood, you can allocate resources efficiently and focus on mitigating high-risk areas within the payment card environment.

Continuous improvement is a backbone of PCI DSS compliance because, in today's dynamic threat landscape, cybersecurity is a continuous process that requires ongoing monitoring, evaluation, and adaptation.  TRA allows for continuous improvement by enabling you to regularly assess and reassess security risks, adapt to emerging threats, and enhance your security posture proactively.

Also, by conducting targeted risk analysis as part of PCI DSS compliance, you can raise awareness among stakeholders about the significance of security risks and the potential impact of data breaches.  This heightened awareness can facilitate better communication, and support for compliance as a whole within your organisation.

Closing Thoughts

TRAs are a critical component of PCI DSS compliance which enables organisations to better protect sensitive cardholder data.  By conducting customised risk assessments, organisations can identify and mitigate risks specific to their payment card environment, enhance threat detection capabilities, align with compliance requirements, make informed decisions, drive continuous improvement, and raise stakeholder awareness.

How URM can Help?

If your organisation would benefit from support managing its transition to PCI DSS v4.0 and understanding all of the new requirements, or with PCI compliance in general, URM’s extensive experience as a PCI Qualified Security Assessor Company (PCI QSAC) means we are ideally placed to provide you with this support.  Our team of PCI DSS consultants can assist you with the entire certification or recertification process, both with your assessment preparation and with the assessment itself.  For example, we can offer a scope reduction service to help you define the most streamlined and appropriate certification scope, thus helping to reduce the amount of time the assessment takes and its cost.  We can also conduct a gap analysis of your current environment against the PCI DSS requirements to identify the areas where you are compliant with the Standard, and any areas of noncompliance.  If noncompliances are identified, URM’s PCI DSS consultant will support you to complete any implementation and remediation activities necessary to ensure you can achieve and/or maintain compliance.

Once your organisation is fully prepared for a successful certification, URM can also offer a range of PCI DSS audit services to support and facilitate your assessment.  We can conduct a pre-audit readiness assessment of your environment to establish its level of compliance and identify any areas of noncompliance still outstanding, providing you with another opportunity to remediate before the formal assessment.  For organisations which need to complete a self-assessment questionnaire (SAQ), URM can offer a Qualified Security Assessor (QSA) SAQ where our QSA leads your completion of and countersigns your SAQ, or support your completion of the SAQ in an advisory capacity, depending on the level of support you would prefer.  Meanwhile, if your organisation is a Level 1 merchant or service provider, we can deliver a full PCI audit led by experienced QSAs, culminating in a Report on Compliance (RoC).

Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for help preparing for a PCI DSS assessment?

As a PCI QSA, URM can assist you with a range of services, including conducting gap analyses, helping you reduce your CDE scope and conducting penetration tests.
Thumbnail of the Blog Illustration
Information Security
Published on
8/8/2022
PCI Policies, Procedures and Evidence – What is expected?

While it’s one of the areas that IT and security departments find challenging, documentation (and compliant evidence)....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
9/8/2022
5 Ways to Reduce Your PCI DSS Scope

Almost all organisations that implement the Payment Card Industry Data Security Standard (PCI DSS) struggle with the scope of the applicability....

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
10/11/2023
Pros and Cons of Delaying Your PCI DSS v4.0 Transition

Transitioning to PCI DSS v4.0 sooner rather than later has its advantages and disadvantages, in this article URM explores both sides of the argument.

Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.