[PCI DSS 1.x] 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a for

12.1.2 Verify that the information security policy includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment


What are the latest views on the RISK process for PCI, we are a small org of less than 50 and do not store cardholder data, what risk process should we be looking to develop.

For your organization it may be as simple as reviewing the state of your security posture against the SANS Top 20, reviewing your quarterly vulnerability scan results and your annual pen test results, and remediating any issues. You say you don’t store any data - how do you know that? Many times the data is stored in log files that no one knew about.

In PCI-DSS v3.0, a formal risk assessment is to be done in particular for 10.6 (logs). Does it mean that all systems could require logs even if they are outside of the PCI scope?

PCI DSS 3.0 #10.6.2 just says that your company should review logs in a general manners, not just CDE critical systems logs.

It is a kind a general recommendation.

What is said about the risk assessment is : logs that should be reviewed and review frequency should be defined by the risk assessment. In other words :

Once a year, think with expert about which logs should be interesting to be sometime reviewed for security reasons…

Hope this clarify.