The first step in addressing risks to card data security is simply knowing where those risks exist in a payments system.
But many merchants, acquirers, issuers and service providers may not know how to analyze their biggest risks, says Bob Russo, general manager of the Payment Card Industry Security Standards Council.
The PCI council announced Nov. 16 it is providing those in the payments industry with guidelines based on work from the council’s risk assessment special interest group.
“The need for guidelines in this area was very clear to us after member feedback because risk assessment is essential to every business,” Russo says.
Troy Leach, the council’s chief technology officer, says that risk assessment should be the first step for any company in establishing security.
“It’s important that every department be engaged in the process, even those not necessarily involved in data storage,” Leach says. “We have found those other areas of companies sometimes have card data stored or processed and did not know it.”
The risk assessment guidelines represent “a critical starting point” for companies and banks because they define the process needed to conduct an annual assessment, he says.
The guidelines also remind those companies that more assessments may be needed "because of a new risk factor… [or] because the company changed and there are new employees,” Leach says.
Industry professionals with experience or those new to risk management will be able to understand the guidelines, Leach says. “They were built and designed for those new to the process, or not familiar with risk assessment,” he adds.
The guidelines also address how a company can evaluate the risks associated with using third-party vendors, Leach says.
More than 60 organizations representing banks, merchants, security assessors and technology vendors collaborated to produce the guidelines to help organizations understand how to identify, analyze and document the risks that may affect their cardholder data environment.
In September, the council provided its members with guidelines for securing mobile payments. These guidelines were based on member feedback and the work of its special interest groups.