PCI Compliance for Merchants: 5 Steps to Conduct Your Own Risk Assessment



Contributed by SecurityMetrics

As a merchant, you deal with sensitive cardholder data. Account numbers, credit cards, and personal information all need to be protected. The payment card industry security standards council (PCI SSC) is a global organization that maintains and promotes the payment card industry data security standard (PCI DSS) for all entities that handle payment cards.


The PCI DSS requirement 12.2 states that merchants and businesses who handle cardholder info need to perform a formal risk assessment at least annually. The point of a risk assessment is to find vulnerabilities, threats, and risks—especially to a merchant’s cardholder data environment (CDE).


The requirement to do regular risk assessments may seem like a hassle but in reality, it helps organizations identify, prioritize, and manage information security risks.


Organizations that take a proactive approach to security will use internal and external resources to identify critical assets, assess vulnerability threats against those assets, and implement a risk management strategy to mitigate those threats.

Here are 5 steps to conduct your own risk assessment:



Start by taking an honest look at your environment. Specifically, look for:

  • Vulnerabilities: a vulnerability is a flaw in components, procedures, design, implementation, or internal controls. Examples of vulnerabilities include unpatched operating system software, poorly coded websites, lack of office security policies, misconfigured or no firewall, and insecure point-of-sale (POS) devices.
  • Threats: a threat is the potential for someone or something to cause a vulnerability. This can include: physical location, organization size, and systems. Threats can also be geological, like landslides, earthquakes, and floods. Other threats to consider: hackers downloading malware onto a system, inadvertent data entry or deletion of data, power failures, chemical leaks, and third-party vendors.
  • Risks: Risks are a measure of (1) the probability that a particular threat will take advantage of a particular vulnerability and (2) the potential impact on your organization and customers. For example, a system that allows weak passwords is vulnerable to attack. The threat is that a hacker could crack the password and break into the system. The risk is that there could be unencrypted cardholder data in your system.



Next, you’ll need to analyze your risk level. Risk level is comprised of two things: first, the likelihood of a threat affecting you. For example, while organizations in Oklahoma and Utah could technically both be affected by a tornado, Oklahoma-based organizations have a higher tornado risk level.


Secondly, think about potential impact. How could this risk uniquely affect your organization? For example, the greatest risk for an organization that processes data online might come from improper coding, while a mom-and-pop shop’s biggest risk might come from physical security issues.


After you analyze your risks, you should assign them levels, such as ‘high,’ ‘medium’ and ‘low.’ It’s important that you document step two. This will give you a prioritized list of risks to work from, serve as the bulk of your risk assessment, and eventually translate into your risk management strategy.



After you’ve identified threats, you’ll need to define your scope (i.e., the areas of your organization you need to secure) by mapping the way cardholder data flows in, within, and out of your organization’s systems. You can use a network mapping software or diagramming tool to do make this step easier, but it’s not required.


It’s best to start with the assumption that everything is in scope until you’ve verified otherwise. There are four main points to look at when mapping:

  1. Where cardholder data enters your environment. Examples: POS, mobile POS, or ecommerce site.
  2. What happens to it while in your systems? Is it stored in CDE? Does it go right to accounting?
  3. Where the cardholder data leaves your environment. Examples: processer, backhouse server, backup server, third party, or outsourced systems management.
  4. Where potential or existing leaks could be.


These are some common places cardholder and payment data are stored:

  • Workstations

  • Filing cabinets

  • Computers

  • Servers

  • Laptops

  • Email

  • Applications

  • Mobile devices

  • Operating systems

  • Calendar software

  • Encryption software


There are also tools available to scan your systems and devices for specific types of data like credit card numbers, social security numbers, or birth dates—which can help you be a lot more thorough with this step.



If you’ve done a good job with step two, you should already have a solid foundation for your risk management strategy. In general, your risk management strategy should have three steps:


  1. Plan how you will evaluate, prioritize, and implement security controls.
  2. Implement security measures that address the greatest areas of risk first.
  3. Test the security controls you’ve implemented and be sure to keep an eye out for new areas of risk.


The following points should be included although depending on your specific environment, these points could be different.


  • Risk level of each vulnerability/task

  • Date each task is completed (important for PCI compliance)

  • Comments section that includes how you will implement this security control

  • Name/signature of employee who completed task



It’s hard to find every weakness in your organization on your own. You should consider outside help in the form of professional services like these scans and tests:


  • Internal and external vulnerability scans: automated testing for weaknesses inside and outside your network

  • Penetration tests: live, hands-on testing of your system’s weaknesses and vulnerabilities Nmap scanning: a simple network scan that identifies open ports and services on your network

  • Gap analysis: consultation on where your gaps in security and compliance exist and what steps need to occur next


Remember that just because a system is vulnerable doesn’t mean it’s exploitable or even likely to be exploited. Some vulnerabilities may require so many preconditions that the chance of a successful attack is virtually nonexistent. While conducting a risk assessment is an important requirement,


A risk assessment is meant to help businesses organize and prioritize security efforts, not cause alarm or overwhelm. If you can make sure your risk assessment has the following, you’ll be on your way to a stronger, more robust security setup.


  • Vulnerabilities/threat identification

  • Assessment of current security measures

  • Likelihood of threat occurrence

  • Potential impact of threat

  • Risk level

  • Scope analysis

  • Data collection

  • Periodic review/update as needed