PCI DSS Mandatory Risk Ranking

PCI requirement 6.2 “Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities” includes the additional note:

“The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.”

As the summer (at least in the Northern Hemisphere) is almost upon us, this seems like a good time to remind ourselves what this deadline means to your PCI compliance activities.

Here are the details, as supplied by the PCI SSC.

1. After June 30, 2012, organizations will be required to assign risk rankings to newly detected vulnerabilities affecting the CDE as part of the ongoing vulnerability identification process established in Requirement 6.2. Guidelines for classifying risk are provided by the Council as follows:

  • Risk ranking systems should be based upon industry standards or best practices.
  • The risk ranking assignment should classify risk in a manner which facilitates prioritisation for remediation. (Example: High, Medium, Low)

2. When application development is in scope of an entity’s CDE, Requirement 6.5.6 will necessitate testing against the vulnerabilities classified as “high” risk as part of the secure application development process.

3. Additional Testing Procedures are indirectly affected by the cutoff date and include:

2.2.b: Updating of system configuration standards as new vulnerabilities are identified
10.4.a: Vulnerability identification in time synchronization technologies
11.2.1.b: Internal vulnerability scanning relative to vulnerabilities classified as “high”
11.2.3.b: Internal vulnerability scanning relative to vulnerabilities classified as “high”

Bear in mind that if you are undergoing an assessment after June 30th this year, there will be additional requirements to meet regarding the above.

Useful reading:

Sample PCI DSS Penetration Testing Policy

Sample PCI Penetration Testing Procedures

Leave a Reply