PCI Risk Management

Once you have completed your comprehensive risk analysis, your next step will be PCI Risk Management. Risk management, required by PCI DSS Requirements, includes the implementation of security measures to reduce risk to reasonable and appropriate levels to, among other things, ensure the confidentiality, availability and integrity of cardholder data and protect against any reasonably anticipated threats, hazards, or disclosures of cardholder data not permitted by the Card Issuers and/or Acquiring Banks, or the Cardholder themselves.

The first step in the risk management process should be to develop and implement a Risk Management Plan. The purpose of a Risk Management Plan is to provide structure for the evaluation, prioritization, and implementation of risk-reducing measures and controls. The risk prioritization and mitigation decisions will be determined by answering which controls and measures should be implemented and the priority in which they should be addressed based upon their risk score.

An important component of the Risk Management Plan is the plan for implementation of the selected security measures and controls. The implementation component of the plan should address:

  • Risk score (threat and vulnerability combinations) assigned to a particular issue being addressed;
  • Recommendation of measures and controls selected to reduce the risk of an issue;
  • Implementation project priorities, such as required resources; assigned responsibilities; start and completion dates; and maintenance requirements.

The implementation component of the risk management plan may vary based on the circumstance. Compliance with the Security Rule requires financial resources, management commitment, and the workforce involvement. Cost is one of the factors we must consider when determining measures and controls to fix an issue. However, cost alone is not a valid reason for choosing not to implement security measures that are reasonable and appropriate. The output of this step is a Risk Management Plan that contains prioritized risks, options for mitigation of those risks, and a plan for implementation. The plan will guide our actual implementation of security measures to reduce risks to cardholder data to reasonable and appropriate levels.

The final step in the risk management process is to continue evaluating and monitoring the risk mitigation measures implemented. Risk analysis and risk management are not one-time activities. Risk analysis and risk management are ongoing, dynamic processes that must be periodically reviewed and updated in response to changes in the environment. The risk analysis will identify new risks or update existing risk levels resulting from environmental or operational changes. The output of the updated risk analysis will be an input to the risk management processes to reduce newly identified or updated risk levels to reasonable and appropriate levels.

Procedure: The objective of risk management is to create and document a planned risk management approach as follows:

  • The most recent Risk Assessment shall be used to develop or modify the risk Management Plan.
  • The Management Plan shall include implementation specifics and prioritized timelines for selected risk mitigation strategies identified in the monthly Risk Profiles, or Risk Assessment report.
  • The Security Officer or designated third party will execute the Management Plan by reviewing and addressing issues identified therein and will be responsible for implementation of the IT security, network and system recommendations.

You can implement automated tools and use other means to continually review and evaluate systems and devices that might store or have access to cardholder data. We will conduct a regular inventory of our information systems containing cardholder data and the security measures used to protect those systems. We will give highest priority to fixing issues associated with unacceptably high risk rankings and will then work to minimize or eliminate the risk based upon feasibility and effectiveness of specific method. Our Cardholder Data Security Officer will oversee the implementation of solutions to better secure systems that store, process or transmit electronic cardholder data

Automated tools will be used to validate that remediation has occurred and reports will be archived for at least TBD years. The tool activities will focus on collecting data through open protocols across the network or operating systems and producing reports and analysis on antivirus, patch and reliability, for example.

We will complement the automated reporting with walk through audits, device inspections and user list reviews.

The final step in the risk management process is to continue evaluating and monitoring the risk mitigation measures implemented. Risk analysis and risk management are not one-time activities. Risk analysis and risk management are ongoing, dynamic processes that must be periodically reviewed and updated in response to changes in the environment. The risk analysis will identify new risks or update existing risk levels resulting from environmental or operational changes. The output of the updated risk analysis will be an input to the risk management processes to reduce newly identified or updated risk levels to reasonable and appropriate levels.