With the introduction of PCI DSS v4.0, many requirements and processes have changed significantly. Some of the new requirements are future-dated requirements, which will become mandatory from March 31, 2025. These include Targeted Risk Analyses that have been recently added in PCI DSS v4.0. They replace the company-wide risk management processes required in earlier versions of the standard and are also a continued component of the recently published version 4.0.1. Instead of the entire company, Targeted Risk Analyses focus on certain individual requirements.
Tobias Weber, Managing Consultant and Qualified Security Assessor at usd AG, has already taken a more in-depth look at Targeted Risk Analyses in a webinar. We have summarized the most important results for you here.
Targeted Risk Analyses: Requirement 12.3
Requirement 12.3 of PCI DSS v4.0 specifies requirements for conducting risk analyses. According to this requirement, risks for the cardholder data environment (CDE) must be formally identified, assessed and managed. The requirement is divided into four sub-requirements. The first two of these sub-requirements refer to PCI DSS requirements, which now allow companies more flexibility in their compliance. The other two sub-requirements provide frameworks for the cryptographic architecture used by an organization and for the lifecycle management of software and hardware.
- Requirement 12.3: Risks to the cardholder data environment are formally identified, evaluated, and managed.
- 12.3.1 - Frequency of performance of controls
- 12.3.2 - Measures for customized approach
- 12.3.3 - Cryptographic agility
- 12.3.4 - Lifecycle management
12.3.1: Targeted Risk Analysis for requirements with flexible frequency
PCI DSS v4.0 offers companies the opportunity to determine the frequency in which they implement the required activities for certain requirements. In order to determine an appropriate frequency, companies must conduct a Targeted Risk Analysis.
Our tip for you:
Review the threat level and potential damage level for the relevant requirements regularly. You can reference "industry best practices" such as those from NIST or the BSI. Select the frequency for the required activities based on this assessment and document your results.
12.3.2: Targeted risk analysis for requirements based on the customized approach
Version 4.0 of the PCI DSS contains many mechanisms that enable companies to take a more flexible approach to compliance. For example, companies can choose whether to meet certain requirements using the traditional approach (Defined Approach) or the new Customized Approach. The Customized Approach offers the opportunity to develop and implement individual security measures. A Targeted Risk Analysis must be conducted for each requirement that is implemented with a Customized Approach.
Our tip for you:
To conduct the Targeted Risk Analysis for this sub-requirement, refer to the Council's template in Appendix E of the standard. It contains valuable guidelines for the process steps.
12.3.3: Targeted Risk Analysis und Cipher Suites
In Requirement 12.3.3, the standard now requires improved management of the cryptographic architecture. For all cryptographic cipher suites and protocols used, this involves checking whether they can continue to be used in future or whether a strategy must be developed for replacing outdated procedures.
Our tip for you:
Conduct the Targeted Risk Analysis for Requirement 12.3.3 in three steps:
12.3.4: Targeted Risk Analysis and Hardware- and Software-Lifecycle-Management
The fourth sub-requirement from 12.3 relates to the monitoring of the software and hardware used regarding the communicated end-of-life dates. If a deadline has been communicated by the manufacturer, a project must be set up to determine how the outdated technology can be replaced.
Our tip for you:
Conduct the Targeted Risk Analysis for Requirement 12.3.4 in three steps:
You can watch the recording of the entire webinar on Targeted Risk Analysis here. You can read everything about PCI DSS v4.0 in our blog posts and other webinar recordings. Do you have any further questions? Please contact us.