What is Targeted Risk Analysis as per PCI DSS v4.x

Sandbox Security

March 8, 2025

What is Targeted Risk Analysis as per PCI DSS v4.x

PCI DSS compliance

Purpose:

Ensures a consistent, risk-based approach to control implementation while maintaining PCI DSS compliance.

The PCI DSS v4.x Targeted Risk Analysis (TRA) Guidance outlines two types of TRAs introduced in PCI DSS v4.0:

TRA for Activity Frequency (Requirement 12.3.1):Allows entities to determine the frequency of specific controls (e.g., malware scans, log reviews) based on their risk assessment. Entities must document assets, threats, and risk factors but are not required to use the provided template.
TRA for Customized Approach (Requirement 12.3.2):Supports entities using a customized control to meet PCI DSS requirements. The TRA must demonstrate equivalent protection to the original requirement.

Key Points:

TRAs are mandatory only when explicitly statedin a requirement.
Annual reviewof TRAs is required, with updates as needed.
Cannot reduce activity frequencybelow PCI DSS requirements without a customized approach (requires separate TRA).
Assessors verifythat all TRA elements (e.g., justification for frequency) are documented.

Example Requirements & Suggested Frequencies:

Malware scans (5.3.2.1):
Password changes (8.6.3):Every 3 months.
POI device inspections (9.5.1.2.1):
Log reviews (10.4.2.1):

FAQs Highlights:

TRAs cannot override minimum PCI DSS frequencies.
Enterprise-wide risk assessments (e.g., ISO 27005) may inform TRAs but are not mandatory.
Compensating controls are needed if technical/business constraints prevent compliance.

Note:

Suggested frequencies are baseline recommendations; entities must still conduct a TRA to validate their chosen frequency. Templates are optional, but all required elements must be included.