Bringing ERM to PCI: PCI-DSS Risk Assessment Guidelines

Categories: Governance, Risk & Compliance

In mid-November, the PCI Security Standards Council released its Risk Assessment Guidelines as a supplement to the PCI Data Security Standard (PCI-DSS).   Expanding on the requirements outlined in section 12.1.2 of the PCI-DSS, the new document provides further guidance on the techniques and methods organizations should consider when addressing this requirement of the standard.   As solid and prescriptive the PCI-DSS is, there are several areas – risk management being one – that are very hard to elaborate on beyond the basic requirements of having a risk management process without publishing an extensive treatise on risk management.   The Special Interest Group of the PCI Council has taken this opportunity to expand on its risk management expectations through this special publication.

The traits described in the supplement are common to many organizations’ goal of an enterprise risk management program.  Establishment of a Risk Assessment team, implementation of a common risk assessment framework, consistent risk identification methods and the evaluation, analysis and treatment of risks, as outlined in the publication, are core to the ERM strategies of many companies.   This underscores the value of the ERM initiatives that are driving through companies today and is an indicator of what we can expect from regulatory, industry and legislative standards.

Risk-based approaches are becoming a fundamental component of compliance activities across the board.  The inclusion of a risk management requirement is common in many industry standards.  The PCI Council has taken the next step to provide more guidance and thus raising the bar on what is expected to meet this requirement.

Those companies that are struggling with supporting or justifying their ERM efforts can look to this trend as another source of rationalization.   Risk management will be considered another key benchmark in a company’s compliance efforts.

Checking the box on “Do you have a risk management program?” will not be as simple as before.  The expectations are being raised as standards bodies are recognizing the benefits, and intricacies, of a strategic risk management program.

Steve Schlarman
Author:

Steve Schlarman is an GRC Strategist for RSA, The Security Division of EMC. With deep compliance, security, audit and IT management expertise, Mr. Schlarman is responsible for product design and architecture for RSA Archer GRC Solutions focusing on IT and Security. Prior to joining Archer, Mr. Schlarman was the Chief Compliance Strategist for Brabeion Software where he led overall product strategy, product management and content management. Before Brabeion, he was a Director in PricewaterhouseCoopers' Advisory Practice, focusing exclusively on information security consulting and auditing. Mr. Schlarman received a Bachelor of Science degree in Mathematical Sciences from Southern Illinois University-Edwardsville. He holds both CISSP and CISM certifications. Subscribe to Steve's RSS feed