The Art of PCI Compliance - Risk Assessment

Steven Fox

The Payment Card Industry Data Security Standard (PCI DSS), is “a set of comprehensive requirements for enhancing payment account data security.”  In other words, PCI provides a set of tactics to protect the confidentiality and integrity of data.  Great place to start – but it’s only part of the picture.  Applying them appropriately requires situational awareness and knowledge of the company’s core values and strategy.

This series explores Sun Tzu’s approach to assessing an army’s readiness for battle as applied to compliance requirements in support of business strategies.

Assess the Risk

“Regulations are not designed to handle the kinds of threats, the kinds of vulnerabilities, and the kinds of problems that organizations are facing today,” said Edward Schwartz, CSO of NetWitness.  He recommends that risk be assessed in the context of the processes that utilize the data being protected.  Sun Tzu suggests a five-point risk assessment approach.

1) The Way - refers to the culture of an organization.  A risk assessment must examine the impact of values and behavior on the overall security posture.  The behaviors that are incentivized by management priorities must be considered; they may focus on business expediency at the expense of security.

2) The Weather – refers to seasonal changes in organizational priorities.    A risk assessment must take patterns of organizational behavior into account.  This step in the process is facilitated by alliances with business stakeholders.

3) The Terrain – refers to the competitive and technological landscape both within and outside the organization.  Most security professionals are engaged to evaluate external threats.  The internal landscape, however, presents greater issues, obstacles, and opportunities of which we must be aware.  Organizations must understand the nature of the data stored, processed, and transmitted by their infrastructure.  The scope of a PCI DSS assessment, for example, is determined by the distribution of cardholder data within the network. 

4) The Leadership – refers to those who promote the corporate goals and enable those goals through tactical and operational initiatives.  We must assess what role those leaders will play in the PCI implementation and how they impact the overall risk posture.  By understanding our end-client – the business - you can architect a control strategy, and supporting tactics, that address risk while supporting management priorities.

5) The Discipline – refers to the enforcement of security policies and procedures.  A risk assessment must consider the human factors that enable threats.