The PCI Council recently released it's updated SAQs aligning to V4.0.1. One change that is going to affect a lot of merchants is the inclusion of 12.3.1s Targeted Risk Analysis for periodically performed controls. In this blog, we'll break down the various options for complying with this change. First, here is the requirement in full:
12.3 Risks to the cardholder data environment are formally identified, evaluated, and managed.
12.3.1 For each PCI DSS requirement that specifies completion of a targeted risk analysis, the analysis is documented and includes:
- Identification of the assets being protected.
- Identification of the threat(s) that the requirement is protecting against.
- Identification of factors that contribute to the likelihood and/or impact of a threat being realized.
- Resulting analysis that determines, and includes justification for, how the frequency or processes defined by the entity to meet the requirement minimize the likelihood and/or impact of the threat being realized.
- Review of each targeted risk analysis at least once every 12 months to determine whether the results are still valid or if an updated risk analysis is needed.
- Performance of updated risk analyses when needed, as determined by the annual review.
There a three different ways a merchant can comply with this requirement:
1. Use a redirect instead of an iframe
11.6.1 SAQ Completion Guidance states that if a redirect mechanism is used instead of an iframe, than 11.6/1 is not applicable, which in turn would make 12.3.1 not applicable.
SAQ Completion Guidance: Where the merchant server redirects customers from the merchant website to a TPSP/payment processor (for example, with a URL redirect), the merchant marks this requirement as Not Applicable and completes Appendix C: Explanation of Requirements Noted as Not Applicable.
2. Perform the 11.6.1 check weekly or more frequently
The SAQ A includes a completion guidance section that clearly indicates that if the 11.6.1 check is conducted weekly or more, you can mark 12.3.1 as N/A and proceed. Achieving this should be straightforward, as most tools or solutions support this frequency without additional cost. Moreover, performing the check more often enhances security by allowing you to detect unwanted changes more promptly.
SAQ Completion Guidance: Requirement 12.3.1 only applies to merchants that chose the option of performing a targeted risk analysis to define how frequently to perform the mechanisms functions for Requirement 11.6.1. Merchants that chose the option of performing the mechanism’s functions for Requirement 11.6.1 at least once weekly mark this requirement as Not Applicable and complete Appendix C: Explanation of Requirements Noted as Not Applicable.
3. Complete a Targeted Risk Analysis
If for any reason you want to perform the check less frequently, then you'll need to complete the Targeted Risk Analysis. You can download an excel version of of our template for free here including an example.
Conclusion
In summary, while the new requirement for a targeted risk analysis in 12.3.1 might initially sound challenging, complying with it is more straightforward than it seems. For most merchants, the simplest and most effective approach will be to increase the frequency of the 11.6.1 check to weekly.