Risk analysis is a foundational tool to help organizations identify and prioritize potential threats and vulnerabilities within their environment. PCI DSS v4.0 introduced the concept of targeted risk analysis (TRA) with two different types of TRAs to provide entities with the flexibility to evaluate risk and determine the security impact of specific requirement controls, as appropriate for their environment.
The first type of TRA is for any PCI DSS requirement that allows an entity flexibility about how frequently to perform a given control and where the requirement specifies completion of a TRA to define that frequency. This type of TRA provides an entity flexibility to establish how often to perform a given control based on their environment’s risk profile.
The second type of TRA is for any PCI DSS requirement that an entity meets with the customized approach. The outcome of this TRA allows an entity to identify risks and describe how their designed controls meet the requirements’ Customized Approach Objective and provide at least an equivalent level of protection as the Defined Requirement.
To support the industry’s understanding and effective use of TRAs, the Council has recently published “PCI DSS v4.x: Targeted Risk Analysis Guidance”. Questions addressed in this guidance document include, but are not limited to:
- How does an entity know when TRAs are required to determine the frequency of an activity?
- How often should an entity perform a TRA to determine the frequency of an activity?
- How is the TRA specified in Requirement 12.3.1 in PCI DSS v4.0 different from the annual risk assessment in PCI DSS v3.2.1 at Requirement 12.2?
- What is the assessor’s role in reviewing an entity’s TRA to determine the frequency of an activity?
The guidance also includes a table that outlines each PCI DSS requirement that specifies the completion of a TRA to determine the frequency of an activity, along with guidance on recommended frequencies for the related activities.
To support the completion of each type of TRA, the following sample templates are available:
- PCI DSS v4.x Sample Template: TRA for Activity Frequency
- PCI DSS v4.x Sample Templates to Support Customized Approach
- Includes PCI DSS v4.0 Appendix E sample templates for both Controls Matrix and Targeted Risk Analysis