This policy explains Aurora University’s position on how the organization formalizes a Risk Assessment as required by PCI.
This policy applies to all people, processes, and technology involved with the storage, processing, or transmitting of cardholder data including those that may not be directly involved in processing cardholder data but still have a potential to impact the security of the cardholder data environment (CDE).
PCI DSS control 12.2 requires all merchants to complete an annual risk-assessment process. As part of the annual Enterprise Risk Assessment process, Aurora University will assess all card processing activities in order to identify threats and vulnerabilities that could negatively impact the security of cardholder data and will be documented in a formal risk assessment. The PCI Risk Assessment shall include:
- Current and Future Merchant processing activities
- Current and Future Service Provider processing activities
- Current and Future Acquirer processing activities
- Results of all Merchant Self-Assessment Questionnaires (SAQ) Compliance
- Results of all Approved Scanning Vendor (ASV) Compliance
- Results of all Acquirer Attestations and Project Plans
- Current and Future Transaction Volume
- Introductions/Changes of Product Lines or Service Offerings
- Introductions/Changes to Software Applications in the Cardholder Data Environment (CDE)
- Introductions/Changes to Third Party relationships
- Changes to Network Topology impacting the Cardholder Data Environment (CDE)
- Any other substantial payment processes deemed appropriate for inclusion to this evaluation
The ITS security team uses an adaptive version of the NIST Risk Assessment framework and the documented risk assessment is a result of an annual Enterprise Risk Assessment performed by the staff. This Enterprise Risk Assessment takes into consideration other Information Technology regulatory requirements, systems, threats, and vulnerabilities outside of the scope of PCI DSS.