Security risks are ever-changing, with new threats popping up seemingly every day. The only way to address risks is to first identify they're there.

A PCI risk assessment helps you do just that by utilizing a methodology to help identify potential risks that could impact your cardholder data environment. 

Risk assessments are a way to proactively detect security weaknesses and analyze your security posture to mitigate current and future threats. 

Below, we outline how to complete your own PCI risk assessment in five simple steps.

Is a risk assessment required for PCI compliance?

Yes, risk assessments are required for PCI compliance. Details on risk assessments are included under Requirement 12.2. 

Per the PCI requirement, businesses must establish a process to identify assets, threats, and vulnerabilities and conduct a formal risk assessment. PCI DSS requires businesses to conduct risk assessments at least once per year. 

There are a number of risk assessment approaches you can use, but the PCI DSS standard specifically mentions the following methodologies:

• OCTAVE
• ISO 27005
• National Institute of Standards and Technology (NIST) Special Publication 800-30

Why are risk assessments important?

Since the goal of PCI DSS is to protect cardholder data, it’s important to identify, mitigate, or completely remediate your biggest vulnerabilities before they snowball into larger issues or become exploited. 

By continuously monitoring for information security risks, your business is able to have a clearer picture of its security posture. This process is a great way to perform risk management throughout the year, continuously identifying and addressing threats that could have a large security impact to your business.

Security risks are dynamic, it is possible a risk that was ranked as a low impact last year may now be a higher ranked risk based on changes in the environment. Without ongoing monitoring, it’s difficult to catch these risk fluctuations until you’re in the midst of a risk incident. 

Additional PCI risk assessment benefits include the ability to:

• Understand your risk profile 
• Prioritize risk management efforts and security spending
• Create an inventory of your IT and data assets 
• Implement security controls more effectively

How to conduct a PCI risk assessment in 5 steps

The PCI DSS standard does not step by step state a specific process for how to conduct a risk assessment. However, the following steps will help you identify threats and vulnerabilities that could impact your cardholder data environment, which is the main goal of a PCI risk assessment.   

 1. Scope your assessment

Before you begin identifying risks, you must map out the areas of your business that you need to secure and determine which assets make up your cardholder data environment. This is known as your PCI scope. 

To do this, consider all of the people, processes, and technology that store, process, and transmit cardholder data or can impact the security of cardholder data. Questions to ask during the scoping process include:

• How is cardholder data ingested?
• How is cardholder data processed and transmitted throughout the cardholder data environment?
• Who has access to the cardholder data environment or can see cardholder data?
• Are there any systems or people that can potentially impact the cardholder data environment?

Mapping your card data flow can help you better understand how cardholder data is ingested and transmitted through your cardholder data environment from beginning to end. This will provide you with a clear picture of your cardholder data environment and the systems connected to it. 

2. Identify risks

Next, you’ll need to identify the people, processes, and technologies that either are part of your cardholder data environment or can impact the environment. 

During this phase, you’ll identify threats and vulnerabilities that could potentially impact your systems ultimately help shaping your risk profile.

• Vulnerabilities are flaws in in the state of your environment that could be exploited 
• Threats are the potential for someone or something to take advantage of a vulnerability. 
• Risks are a measure of the likelihood that a given threat will take advantage of a given vulnerability and the impact it will have on the cardholder data environment.

For example, let’s consider a software system that hasn’t been updated with a new version meant to patch a security vulnerability. That vulnerability is the outdated software, the threat is that a hacker could infiltrate the system, and the risk is not ensuring software is up-to-date. 

Consider these categories of threats and vulnerabilities:

• Digital: Not updating software with security patches
• Physical: Improper disposal of data
• Internal: Employees
• External: Hackers
• Environmental: Natural disaster

3. Analyze risks

Once your risks have been identified, you’ll need to assess the likelihood of the risk occurring and the potential impact that risk would have on your organization. 

• Risk likelihood: Consider how likely it is for a threat to take advantage of a given risk. For example, if you experienced a data breach in the last year, your likelihood of another occurring would be high unless you remediated the vulnerability that caused the breach. 
• Risk potential: Consider the damage a risk could pose to your organization. For example, improperly configured firewalls would have a high probability for unnecessary traffic to enter or exit the cardholder data environment.

Based on likelihood and potential impact, assign each vulnerability and associated threat with a risk level. Common risk level categories include high, medium, and low risk. Your team should prioritize managing the highest risks before tackling the medium and then low risks. 

4. Create a risk management strategy

Once risks are categorized, you can begin strategizing your risk management process. While some risks can’t be eliminated entirely, the risk management process helps reduce risks to a more acceptable level. The remaining risk level is known as residual risk. 

When crafting your risk management strategy, consider how security controls will be evaluated, prioritized, and implemented. It’s helpful to appoint a team to own this process and regularly document findings. 

When you know how the risk mitigation process will be tracked, you can apply security controls to address the areas of highest risk. After security measures have been implemented, check their effectiveness and continue to monitor for emerging risks. 

While risk assessments need to be done annually for PCI compliance, there are a few additional strategies to help you monitor risks between assessments:

• Penetration testing: Required by PCI DSS, penetration testing is a hands-on test of your system’s security.
• Gap analysis: This assessment measures your current business practices to find any potential shortcomings that could make you noncompliant. 
• Internal and external vulnerability scans: Also required by PCI DSS, vulnerability scans test for weaknesses in your infrastructure and applications. 

5. Properly document your risk assessment

After you’ve finished your risk assessment, compile your findings into a formal report. This report will include details on each identified vulnerability and how you’ve treated or accepted discovered risks.

Sections within a risk assessment report include:

• Version history: The date of assessment completion and the document author
• Executive summary: A summary of your organization’s security posture before and after the assessment  
• Scope of the risk assessment: Describe your company and an overview of your cardholder data environment
• Risk assessment approach: Your process for conducting the risk assessment and the method used to categorize and prioritize risks  
• Asset inventory: A list of the in-scope assets included in your assessment
• Threats: A list of the threats that could impact your assets 
• Vulnerabilities: A list of the vulnerabilities that could be taken advantage of by threats to impact cardholder data
• Risk assessment results: A list of categorized risks and the actions taken to address and mitigate risks

PCI risk assessment report template 

PCI DSS requires businesses to document their risk assessment process and findings. Download our template below to help you format your risk assessment results. 

How Secureframe can help you prepare for a PCI risk assessment 

Risk assessments are an important part of PCI compliance. A thorough assessment helps you identify all potential risks and proactively employ security measures. 

Our team of PCI experts can help accurately identify all of your assets and potential vulnerabilities to get a full picture of your security posture — ensuring nothing falls through the cracks. 

To find out more about how Secureframe can help you achieve PCI compliance, request a demo with our team today.