PCI Risk Assessments – Why Is It Important?
The goal of PCI DSS is to reduce the risk of credit card breaches. That, however, is a broad statement intended to apply to any business model and security control set.
In order for an organization to effectively manage its own risk, it must complete a detailed risk analysis on its own environment. The goal for the risk analysis is for the organization to determine the threats and vulnerabilities to services performed and assets. As part of a risk assessment the organization should define its critical assets including hardware, software, and sensitive information - and then determine risk levels for those components. This in turn allows the organization to determine a prioritization level for reducing risk. It is important to note that risks should be prioritized for systems that will be in-scope for PCI DSS and then other company systems and networks. The PCI Security Standards Council (SSC) and the PCI DSS requirements themselves provide a lot of guidance on scoping a PCI DSS environment but this may be an area where the organization would want to contract with a QSA firm to validate the scope.
Have a question? Fill out the form at the bottom of the page.
About PHIL DORCZUK
Phil Dorczuk is a Senior Associate with Schellman. Prior to joining Schellman, LLC in 2013, Phil worked as a PCI DSS auditor with Coalfire Systems and a consultant at GTRI. At Coalfire, Phil specialized in PCI DSS audits and gap assessments and at GTRI specialized in Cisco network equipment installation and configuration.