PCI DSS 4.0.1
Browse PCI DSS 4.0.1
12.1 12.2 12.3 12.4 12.5 12.6 12.7 12.8 12.9 12.10
12.3: 1. For each PCI DSS requirement that specifies completion of a targeted risk analysis, the analysis is documented and includes: (a) Identification of the assets being protected, (b) Identification of the threat(s) that the requirement is protecting against, (c) Identification of factors that contribute to the likelihood and/or impact of a threat being realized, (d) Resulting analysis that determines, and includes justification for, how the frequency or processes defined by the entity to meet the requirement minimize the likelihood and/or impact of the threat being realized, (e) Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed, (f) Performance of updated risk analyses when needed, as determined by the annual review.
  • Examine documented policies and procedures to verify a process is defined for performing targeted risk analyses for each PCI DSS requirement that specifies completion of a targeted risk analysis, and that the process includes all elements specified in this requirement.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

Some PCI DSS requirements allow an entity to define how frequently an activity is performed based on the risk to the entity’s environment. Performing this risk analysis according to a methodology ensures validity and consistency with policies and procedures.

This targeted risk analysis (as opposed to a traditional enterprise-wide risk assessment) focuses on those PCI DSS requirements that allow an entity flexibility about how frequently an entity performs a given control. For this risk analysis, the entity carefully evaluates each PCI DSS requirement that provides this flexibility and determines the frequency that supports adequate security for the entity, and the level of risk the entity is willing to accept.

The risk analysis identifies the specific assets, such as the system components and data—for example, log files, or credentials—that the requirement is intended to protect, as well as the threat(s) or outcomes that the requirement is protecting the assets from—for example, malware, an undetected intruder, or misuse of credentials. Examples of factors that could contribute to likelihood or impact include any that could increase the vulnerability of an asset to a threat—for example, exposure to untrusted networks, complexity of environment, or high staff turnover—as well as the criticality of the system components, or volume and sensitivity of the data, being protected.Reviewing the results of these targeted risk analyses at least once every 12 months and upon changes that could impact the risk to the environment allows the organization to ensure the risk analysis results remain current with organizational changes and evolving threats, trends, and technologies, and that the selected frequencies still adequately address the entity’s risk.

Good Practice

An enterprise-wide risk assessment, which is a point-in-time activity that enables entities to identify threats and associated vulnerabilities, is recommended, but is not required, for entities to determine and understand broader and emerging threats with the potential to negatively impact its business. This enterprise-wide risk assessment could be established as part of an overarching risk management program that is used as an input to the annual review of an organization's overall information security policy (see Requirement 12.1.1).

Examples of risk-assessment methodologies for enterprise-wide risk assessments include, but are not limited to, ISO 27005 and NIST SP 800-30 .

Further Information

Refer to the following documents on the PCI SSC website:

• Information Supplement: TRA Guidance

• Sample Template: TRA for Activity Frequency .

12.3: 2. A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include: (a) Documented evidence detailing each element specified in Appendix D: Customized Approach (including, at a minimum, a controls matrix and risk analysis), (b) Approval of documented evidence by senior management, (c) Performance of the targeted analysis of risk at least once every 12 months.
  • Examine the documented targeted risk- analysis for each PCI DSS requirement that the entity meets with the customized approach to verify that documentation for each requirement exists and is in accordance with all elements specified in this requirement.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

A risk analysis following a repeatable and robust methodology enables an entity to meet the customized approach objective.

Definitions

The customized approach to meeting a PCI DSS requirement allows entities to define the controls used to meet a given requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. These controls are expected to at least meet or exceed the security provided by the defined requirement and require extensive documentation by the entity using the customized approach.

Further Information

See Appendix D: Customized Approach for instructions on how to document the required evidence for the customized approach.

See PCI DSS v4.x: Sample Templates to Support Customized Approach on the PCI SSC website for templates that entities may use to document their customized controls. Note that while use of the templates is optional, the information specified within each template must be documented and provided to each entity’s assessor.

12.3: 3. Cryptographic cipher suites and protocols in use are documented and reviewed at least once every 12 months, including at least the following: (a) An up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used, (b) Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use, (c) Documentation of a plan, to respond to anticipated changes in cryptographic vulnerabilities.
  • Examine documentation for cryptographic suites and protocols in use and interview personnel to verify the documentation and review is in accordance with all elements specified in this requirement.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

Protocols and encryption strengths may quickly change or be deprecated due to identification of vulnerabilities or design flaws. In order to support current and future data security needs, entities need to know where cryptography is used and understand how they would be able to respond rapidly to changes impacting the strength of their cryptographic implementations. Good Practice

Cryptographic agility is important to ensure an alternative to the original encryption method or cryptographic primitive is available, with plans to upgrade to the alternative without significant change to system infrastructure. For example, if the entity is aware of when protocols or algorithms will be deprecated by standards bodies, proactive plans will help the entity to upgrade before the deprecation is impactful to operations.

Definitions

“Cryptographic agility” refers to the ability to monitor and manage the encryption and related verification technologies deployed across an organization.

Further Information

Refer to NIST SP 800-131a, Transitioning the Use of Cryptographic Algorithms and Key Lengths .

12.3: 4. Hardware and software technologies in use are reviewed at least once every 12 months, including at least the following: (a) Analysis that the technologies continue to receive security fixes from vendors promptly, (b) Analysis that the technologies continue to support (and do not preclude) the entity’s PCI DSS compliance, (c) Documentation of any industry announcements or trends related to a technology, such as when a vendor has announced “end of life” plans for a technology, (d) Documentation of a plan, approved by senior management, to remediate outdated technologies, including those for which vendors have announced “end of life” plans.
  • Examine documentation for the review of hardware and software technologies in use and interview personnel to verify that the review is in accordance with all elements specified in this requirement.
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.

Description

Purpose

Hardware and software technologies are constantly evolving, and organizations need to be aware of changes to the technologies they use, as well as the evolving threats to those technologies to ensure that they can prepare for, and manage, vulnerabilities in hardware and software that will not be remediated by the vendor or developer. Good Practice

Organizations should review firmware versions to ensure they remain current and supported by the vendors. Organizations also need to be aware of changes made by technology vendors to their products or processes to understand how such changes may impact the organization’s use of the technology.

Regular reviews of technologies that impact or influence PCI DSS controls can assist with purchasing, usage, and deployment strategies, and ensure controls that rely on those technologies remain effective. These reviews include, but are not limited to, reviewing technologies that are no longer supported by the vendor and/or no longer meet the security needs of the organization.