What’s At Risk with your PCI Compliance?
With the latest PCI DSS updates—such as the shift to customized approaches and the focus on continuous compliance through an integrated, risk-aware security program—professionals are now expected to incorporate deeper risk analysis, align security strategies with business objectives, and justify priorities more clearly. Failure to do so may lead to facing big fines, loss of customer trust, and even litigation.
Now, the PCI DSS gives you the ability to do something called a Targeted Risk Analysis (TRA) to justify the cadence for periodic requirements, OR to justify your Customized Approach for meeting a requirement. For any applicable PCI DSS periodic cadence requirements, entities will need to document a Targeted Risk Analysis (TRA) to justify the cadence their organization has implemented for the applicable requirement. Risk Mature organizations that decide to meet a PCI DSS requirement’s stated Customized Approach Objective (in a way that does not strictly follow the defined requirement), when validating compliance through an Onsite Assessment may perform a different type of TRA. The organization validating compliance with the Customized Approach must document a Controls Matrix, document a TRA, test the customized control to prove effectiveness, monitor and maintain evidence on effectiveness of the controls, and provide this information to their QSAs. The QSA will then create appropriate testing procedures to validate the organization’s Customized Approach controls.
Both of these TRAs are extremely helpful for companies that have specialized needs operationally, because it provides flexibility without dropping the security bar.
But to do TRA well, you require a formal, legally-justified method for determining what risks are tolerable. That’s where the DoCRA (Duty of Care Risk Analysis) methodology comes in.
What is Duty of Care Risk Analysis (DoCRA) and what makes it unique?
DoCRA’s addresses risk reasonably. It poses a core question: What’s the appropriate level of risk when you weigh the business’s interests, the risks for the affected parties, and the public?
DoCRA helps organizations:
- Make security decisions which are reasonable and defensible,
- Communicate risk in a way that executives and regulators can understand,
- And, most importantly, build a security program that can hold up in court – an approach that is legally-defensible.
If your TRA shows that a certain cadence for a control is impractical or too burdensome, DoCRA lets you weigh that against the likelihood and impact of a threat being realized. If you can demonstrate that your risk analysis meets PCI DSS requirements and was made in good faith, using a transparent and well-documented process, you’re in a much stronger position legally and ethically.
The DoCRA risk principles are frequently referenced in breach litigation settlements as the accepted method for demonstrating that an organization maintained reasonable security—even during a security incident.
How does the Duty of Care impact your PCI risk management?
In today’s world, cyber threats are growing in sophistication and scale. When you align your risk analysis with both PCI compliance and DoCRA principles, you’re doing more than checking boxes. You’re creating a defensible, balanced, and effective cybersecurity posture.
Implementing your security program with duty of care demonstrates to regulators, litigators, stakeholders, and customers that you are operating carefully and reasonably and respects personal information.
How can I achieve PCI compliance TRA with DoCRA?
As primary authors of CIS RAM and the Duty of Care Risk Analysis (DoCRA), HALOCK brings unique expertise to help organizations implement these risk-based strategies in line with the new PCI requirements.
HALOCK’s Qualified Security Assessors (QSAs) are experienced in risk management using Duty of Care Risk Analysis (DoCRA). This approach weighs the impact of a risk to your organization against the potential harm that risk could pose to the company’s mission, objectives, and obligations. HALOCK’s QSAs have developed a Targeted Risk Analysis method that meets PCI DSS compliance requirements while leveraging DoCRA’s balanced framework.
What do I need to be PCI Compliant?
HALOCK assists organizations in achieving PCI DSS compliance by:
- Helping clients understand how the standard applies to them through scope validation and readiness assessments,
- Providing expert guidance throughout the remediation process to address any compliance gaps,
- Validating compliance status, and
- Preparing and submitting all required validation documentation, while establishing duty of care and reasonable controls as the law mandates.
HALOCK helps clients streamline their PCI DSS processes, reduce the scope of compliance, and implement reasonable security practices aligned with acceptable levels of risk.
