The Payment Card Industry Security Standards Council (PCI SSC) recently released additional advice for merchants seeking to comply with the risk assessment requirement of PCI DSS requirement 12.1.2.  While these guidelines are not officially mandated, merchants can definitely expect that Qualified Security Assessors (QSAs) will reference them when determining whether a merchant’s risk assessment process fulfills the PCI DSS requirement.

Inside the Risk Assessment Guidelines

Merchants have been required to conduct risk assessments since the initial release of the PCI DSS.  Specifically, requirement 12.1.2 requires that organization’s security programs include “an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.”  Although the standard goes on to cite OCTAVE, ISO 27005 and NIST SP 800-30 as examples of risk assessment methodologies, it stops short of dictating the process used by organizations to conduct the risk assessment.