By Viviana WesleyPCI QSA, ISO 27001 Auditor, CISM,  Jason Maiden – CISSP, PCI-QSA, PMP, ISO Lead Auditor, and Todd Becker, ISO 27001 Auditor, CISM, PCI QSA

There are very few things in life that operate on a one-size-fits-all approach. That includes cybersecurity. Every organization has a unique risk profile that it must address. A business’s unique risk profile is shaped by a combination of internal and external factors including its size, industry, operational factors and regulatory environment to name a few. A security plan designed for Amazon is not realistic for an independent retail store the same way that an ice cream chain shouldn’t be forced to adhere to the same demands as a hospital.

 

What is the Targeted Risk Analysis (TRA) in PCI DSS v4.0.1?

Targeted Risk Analysis (TRA) is a concept introduced in PCI DSS version 4.0.1, marking an important shift from the organization-wide risk assessments required previously. PCI DSS v4.0.1 now gives companies the flexibility to focus their risk analysis on areas most relevant to payment security. Rather than determining the security control frequencies through arbitrary intervals set by general risk assessments, companies can now base frequency rates using risk assessments tailored to their specific environment. PCI DSS Requirement 12.3.1 and Requirement 12.3.2 establish the basis for Targeted Risk Analysis and offer flexibility that extends into the use of custom security controls if the entity can demonstrate equivalent or better protection than the original requirement. The integration of TRAs is a recognition that different companies have unique environments that require different approaches.

 

How Does DoCRA Support Reasonable Security?

DoCRA stands for Duty of Care Risk Analysis. Unlike traditional risk assessments that focus narrowly on technical vulnerabilities and impacts to confidentiality, integrity, and availability of assets only, DoCRA takes a balanced approach that evaluates the risks an organization takes, the controls they puts in place, and the impact that those decisions have on all stakeholders.

DoCRA helps organizations define what “reasonable security” should look like by considering multiple factors that include security needs, business objectives, legal and regulatory requirements, and societal expectations. This balanced approach ensures that security measures are both effective and practical for the organization’s specific context. DoCRA helps ensure the appropriate security level without the undue burden.

 

How Does Applying DoCRA Apply a PCI Targeted Risk Analysis?

HALOCK’s Targeted Risk Analysis methodology guides organizations through a step-by-step process to evaluate risks. HALOCK utilizes the DoCRA approach in conjunction with a Risk Frequency Model that aligns perfectly with the PCI DSS requirement that TRAs must be documented, repeatable, and based on defined criteria. For instance, if your IT department is trying to determine the frequency rate for various security tasks, such as the frequency of point of interaction device inspections and incident response personnel training, this approach can help you determine and justify the chosen frequency through the following process:

  • Assess the asset or control criticality in your environment
  • Assess the risk of performing the task less frequently, considering the operational and obligatory burdens of the organization
  • Document the rationale in a way that satisfies PCI DSS requirements

 

Supporting Customized Controls and Defensibility

This methodology can also be used to validate the use of a Customized Approach control as an alternate to a standard PCI DSS requirement control as long as organizations can prove that their control suitably provides equal or better protection. Again, this methodology can aid in this endeavor by:

  • Quantifying the risk reduction achieved by the custom control
  • Comparing it to the risk reduction of the standard control
  • Providing a clear, evidence-based justification for the deviation

This methodology can also help organizations defend their security controls and frequency decisions in the event of a regulatory investigation or litigation thanks to its incorporated legal standards of care. By adapting this methodology into your organization, you move beyond checkbox compliance into a smarter, more defensible approach to decision making that aligns with your security duty of care, business goals and legal responsibilities.

 

PCI TRA DoCRA

 

Building a Reasonable and Defensible Security Program

HALOCK’s QSAs can help you apply this methodology to meet your Targeted Risk Analysis obligations under PCI DSS. We can work with you to build a legally defensible, risk-based security program that reflects your organization’s specific environment and responsibilities.

Contact us to learn how this approach can support your PCI compliance and improve your overall risk posture.

 

Validate Your PCI Compliance

 

READ MORE PCI DSS References and Articles