GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

The convergence of traditional and alternative payments


Industry Update

Effect of proposed debit regs on ISOs

Fed's proposed interchange cap dings AmEx

Merchant sues U.S. Bank for alleged data breach cover-up

EMS gives back during holidays


Research Rundown

Selling Prepaid

Prepaid in brief

PPS' CEO sees changing landscape ahead

How Fed draft rules might affect prepaid


Payment prognostications for 2011

Brandes Elitch
CrossCheck Inc.

Who owns the merchants?

Sarah Weston
Jaffe, Raitt, Heuer & Weiss PC


Street SmartsSM:
Will leasing make a comeback? - Part 1

Ken Musante
Eureka Payments LLC

Risk management and PCI

Tim Cranny
Panoptic Security Inc.

Evaluating the value (and cost) of training

Jeff Fortney
Clearent LLC

Marketing resolutions for the New Year

Peggy Bekavac Olson
Strategic Marketing

Company Profile

ISTS Worldwide Inc.

New Products

Robust gateway for e-commerce

CCS ePay
Charge Card Systems Inc.


Bring in the year with steely resolve


10 Years ago in
The Green Sheet


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

January 10, 2011  •  Issue 11:01:01

previous next

Risk management and PCI

By Tim Cranny

In recent articles I've talked about how Payment Card Industry (PCI) Data Security Standard (DSS) compliance needs to move toward a "risk management" approach to security.

Now is a good time to say more about what that approach is, how it works, and what its strengths and weaknesses are. Fortunately, all of this information is useful right now and isn't just preparation for some future requirement.

The core idea behind risk management is that you can't treat the idea of "safe" as if it's an on/off switch, with the "on" setting meaning no risk.

There is no such thing as no risk. We all spend every moment of our lives - our personal lives as well as our business lives - surrounded by risk: the chance of being affected by cancer, car crashes, corporate malfeasance or a troubled economy, for example. It's just that when the risk is small enough, we simply live with it.

This approach is pragmatic. If you get fixated on eliminating all risk, you'll fail. For example, card processing only exists because it makes business sense for merchants to offer it.

We're never going to sell security to merchants by saying, "Your transactions are now incredibly safe, and it only costs an extra $100 per transaction." The goal of PCI is to make cardholder data as safe as possible - in a way that is technically and economically viable.

The goals of risk management

With that in mind, the idea of "safe" transforms into "safe enough." Instead of attempting to eliminate the risk, we focus on whether we can reduce the risk enough so it can be relegated to the enormous list of dangers we just live with every day. In other words, we need to ask, can we manage the risk?

By the way, risk management doesn't do away with questions of how to handle security; the technical details still need to be addressed. It does provide ways to think about what to do, why to do it and in what order. It gives you the right way to start on these issues; the technical details then follow.

So if risk is the key idea, how do we manage it? For that matter, what is risk?

There are various ways to define or measure risk, but the basic idea is that it measures the degree to which you should be concerned about a particular danger or threat. You could say risk is a combination of likelihood and consequences, where likelihood equates to how likely it is a negative event will occur, and consequences relate to how much damage (financial, reputational or physical) a negative event would cause.

A threat such as nuclear war has a low risk rating (we hope) because even though the consequences would be very high, the likelihood is extremely low.

The risk associated with drinking lukewarm coffee is also low, but for a different reason: no matter what the likelihood, the consequences are minor.

If you store thousands of customer credit card numbers on a poorly secured system, the consequences and likelihood of a negative event are high, so the risk score is high.

Risk management advocates the following: don't spend time worrying about bad coffee or nuclear war. Focus on fixing the risks at the top of the list, such as those poorly protected card numbers.

A step-by-step approach

A risk management approach involves these steps:

  1. Identify assets that need protection. This includes more than just money and physical assets; it encompasses sensitive data, company reputation, legal standing and so on.

  2. Identify threats to those assets. Threats can include everything from hackers to embezzlement to accidental loss to earthquakes.

  3. Determine an acceptable level of risk for these threat-asset combinations. Remember the answer won't be zero: that isn't realistic. Think in terms of managing risk down to a reasonable level, not extinguishing it.

  4. Estimate the likelihood and the consequences of the threat actually happening; you can calculate a risk rating for any given threat scenario.

  5. Address threats with a risk rating above your determined acceptable level. This means applying additional security measures to bring down the likelihood or consequences, or both, of the underlying threat until the risk is acceptable.

Here are a few additional tips:

Addressing risk at the portfolio level

Risk management is a good idea at the merchant level, but it is more complicated and demanding than a simple follow-the-steps approach. The smart approach: don't dump the burden on merchants; provide them with guidance on risk management instead.

This approach demands better tools and analytics at the portfolio-owner level. It no longer makes sense to treat your merchants as a single group. Instead, learn to "slice and dice" your portfolio in intelligent ways and treat the different subgroups with different strategies.

With the right tools and analytics, you can make your overall portfolio safer, while at the same time making your PCI program more efficient and cost-effective.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. ( He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at or 801-599 3454.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios