PCI SIG risk assessment guidance released

The PCI Security Standards Council (PCI SSC) recently released a set of best practices designed to help organizations assess and correct security vulnerabilities. The supplement's objective is to help merchants, service providers, acquirers and issuers comply with the Payment Card Industry (PCI) Data Security Standard (DSS). The document was produced by the PCI Risk Assessment Special Interest Group (SIG), which included representatives from banks, retailers, security assessors and technology vendors.

The PCI DSS requires businesses to have a process for assessing payment card data threats and vulnerabilities in their payment systems. This is in addition to requiring that businesses take certain steps to protect data, as well as correct vulnerabilities found. A risk assessment helps companies to reduce exposure to data theft. The new PCI DSS Risk Assessment Guidelines Information Supplement offers guidance from members of more than 60 payments industry organizations.

A key focus area for stakeholders

"As there are a number of risk assessment methodologies out there, our stakeholders were looking for guidance on how to effectively apply these principles to their organizations to meet PCI requirements," said Bob Russo, General Manager of the PCI SSC. "As an open standards body, SIGs are one of the many ways we're able to tap into the brain trust that is our global community."

The supplement recommends that businesses formalize risk assessment methodology in a simple way that accommodates the corporate culture and organizational requirements. It also urges businesses to implement risk assessment continuously to mitigate threats and vulnerabilities quickly.

The document additionally reminds businesses that implementing risk assessment doesn't relieve the organization of its duty to comply with the PCI DSS or other PCI standards. And it emphasizes formal training on risk assessment processes for risk assessors to help them understand threats and vulnerabilities that could negatively impact their companies' systems.

The PCI SSC will publish SIG guidance supplements on e-commerce security and cloud computing in 2013. The council also stated that guidance development will begin in January 2013 for two new SIG project topics: third-party security assurance and best practices for maintaining PCI DSS compliance; guidance on these topics will be published in 2013 and 2014, respectively.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.