Information Security Leader, Author, Instructor and Speaker

PCI DSS Risk Assessments

Posted on March 24, 2013 in Articles | by

The Payment Card Industry Security Standards Council (PCI SSC) recently released additional advice for merchants seeking to comply with the risk assessment requirement of PCI DSS requirement 12.1.2.  While these guidelines are not officially mandated, merchants can definitely expect that Qualified Security Assessors (QSAs) will reference them when determining whether a merchant’s risk assessment process fulfills the PCI DSS requirement.

Inside the Risk Assessment Guidelines

Merchants have been required to conduct risk assessments since the initial release of the PCI DSS.  Specifically, requirement 12.1.2 requires that organization’s security programs include “an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.”  Although the standard goes on to cite OCTAVE, ISO 27005 and NIST SP 800-30 as examples of risk assessment methodologies, it stops short of dictating the process used by organizations to conduct the risk assessment.

Originally published on
TAGS: , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Mike Chapple, CISSP, Ph.D.

Mike is an IT leader, information security professional, author, speaker and trainer with over fifteen years of experience in the field.

Full Biography