|By Dominic Monkhouse||
|December 21, 2012 11:56 AM EST||
This is according to general manager of the PCI Security Standards Council (PCI SSC) Bob Russo, who told Bankinfosecurity.com that this is vital to spotting any weak links in the card data protection chain, which could undermine an entire system.
Performing annual risk assessments is one of the 12 central requirements firms must go through to be certified PCI compliant, but it may be the case that some companies do not devote adequate time and resources to this and assume their systems will still be secure.
Mr Russo explained: "The standard requires an annual risk assessment, because the DSS (data security standard) validation is only a snapshot of your compliance at a particular point in time." Therefore, it is possible that changes that have been made to a system since the previous evaluation could have undermined security protections or opened up new vulnerabilities.
He added the PCI SSC has received a large number of requests for clarity on how to best perform a risk assessment in order to identify gaps in their security procedures. This is why the body introduced new guidelines for the process earlier this month.
This document contains a number of recommendations for improving the procedure of evaluating a firm's data protection security solutions. These include implementing a formal methodology that takes into account the culture of an organisation and its unique requirements.
Guidance offered as part of the publication states: "Organisations will need to define and document their risk-assessment methodology, identify individuals who will need to be involved, assign roles and responsibilities and allocate resources."
It also suggested companies pursue a continuous risk assessment process rather than treating the requirements as a once-a-year occurrence. This makes it easier to uncover emerging threats and vulnerabilities as soon as they appear, allowing a company to take a more proactive approach to mitigate such risks.
Mr Russo observed that every organisation is different and the necessary precautions and measures will vary from firm to firm. However, there are a few constants that all enterprises need to consider.
"Size is just one of the many factors," he stated. "A smaller organisation, for instance, has fewer assets that they have to consider. But the core components of the risk assessment are really going to be the same."
The importance of PCI compliant systems has been highlighted in recent years by a series of high profile breaches, Bankinfosecurity.com stated. This included an attack on Heartland Payments Systems in 2009 that exposed the information of 130 million credit and debit cards in the US.
As a result of this, Heartland is now offering advice to ecommerce merchants using its payment processing solutions, as many of these firms lack knowledge and experience of security issues.
Chief security officer at the firm John South said: "Their speciality is not in securing networks and many have little or no experience in installing hardware or software to do that."