Risk assessment and risk management (PCI compliance requirements 10.6.2 and 10.6.3) are 2 controls usually shoved off to the end of a Qualified Security Assessor (QSA) audit or Self–Assessment questionnaire (SAQ) process. Even as late as 2015, organizations considered the exercise as a hindrance to the completion of Payment Card Industry Data Security Standards (PCI DSS) requirements although they were mandatory in the earlier versions as well.
Who and which business unit at a company has the time to sit through hours of brainstorming to determine:
1. All risk areas within an organization.
2. How many areas are within a tolerant risk exposure level?
3. How much security is enough?
4. What needs to be done about addressing the identified risks?
5. Follow up on the exceptions and anomalies identified during the review process and on a regular basis every year.
Security governance is an enterprise-wide issue. Risk assessment and management are critical pieces of it.
• Executives across an enterprise are responsible for addressing the risks; implement prevention and protection measures.
• Risk assessment and management are business requirements that need to be aligned with business objectives, compliance requirements, and polices.
• Regardless of the type of retail business, risks persist in all businesses and all card data environments.
• It is not just about meeting PCI Compliance standards and checking off on the requirements; it is tied directly to the survival of a business.
• The right people need to be involved in going through the analysis and addressing them methodically.
If you need guidance on assessing and managing your organization’s risks, call Omega ATC. We will make the process efficient and comprehensive. You will get a complete analysis of your business’s risks, and steps required to remediate those risks. Email security@www.omegasecure.com, Call 636-557-7777.
