Home · Synthesis · cl-pci-targeted-risk-analysis

PCI DSS Targeted Risk Analysis (TRA) — flexibility and customised approach

CSA CCM v4 DPDPA NIST CSF 2.0 PCI DSS SOC 2 ISO 27001

Primary statement

PCI DSS v4.0.1 TRA per PCI 12.3 (annual risk assessment) + 12.3.1 (frequency-based controls TRA — for requirements like 5.2.3.1, 7.2.5.1, 8.6.3) + 12.3.2 (customised approach TRA). The TRA is the risk-based document supporting either flexibility on cadence or use of customised approach. CSA GRC-02 cloud risk framework + SOC 2 CC3 risk principles support the TRA methodology.

Audit-fatigue payoff

A unified TRA methodology — covering both frequency-based flexibility (12.3.1) and customised approach (12.3.2) — satisfies PCI TRA requirements + underlying risk management requirements across SOC 2, NIST, CSA, ISO 27001.

Strictness matrix

Scope

Scope: targeted risk assessment process annual + before significant changes. Identifies risks to CDE. Ceiling source: pci_dss:PCI.12.3 Rationale: PCI DSS 12.3 universal TRA scope is the audit-defensible specification.

Threshold

Threshold: for each PCI requirement providing frequency flexibility, TRA shall justify the chosen frequency. Without TRA, default frequency applies. Ceiling source: pci_dss:PCI.12.3.1 Rationale: PCI 12.3.1 TRA-or-default threshold is uniquely strict.

Method

Method: documented TRA process + annual risk assessment + before-change TRA + frequency-based TRA per 12.3.1 + customised-approach TRA per 12.3.2 + integration with CSA GRC-02 cloud risk + SOC 2 CC3 risk principles. Ceiling source: pci_dss:PCI.12.3 Rationale: PCI 12.3 + 12.3.1 + 12.3.2 combined are the most prescriptive TRA method.

Frequency

TRA: annual minimum + before significant changes. Per-requirement TRA refresh per 12.3.1. Ceiling source: pci_dss:PCI.12.3 Rationale: Annual + change-triggered TRA is the audit-defensible cadence.

Evidence

Evidence: TRA document + risk identification + risk analysis + treatment + per-requirement TRA per 12.3.1 + customised approach TRA per 12.3.2. Ceiling source: pci_dss:PCI.12.3 Rationale: PCI 12.3 evidence is comprehensive for TRA.

Auditor test pattern

Step 1: Inspect annual TRA document. Step 2: For each frequency-flexible requirement, verify TRA-justified frequency. Step 3: For customised approach, verify TRA per 12.3.2. Step 4: Verify TRA refreshed on significant change.

Common findings

Common findings: (1) TRA exists but covers only top-level CDE risk, not per-requirement; (2) Frequency flexibility used without TRA; (3) Customised approach TRA absent; (4) TRA not refreshed on change.