
PCI – Where Did the Frequencies Go? Welcome to the World of Targeted Risk Analysis
With PCI DSS 4.0, nine of the requirements were rewritten to allow the assessed entity to define how frequently the control should be completed. While that flexibility sounded great to some folks, others weren’t exactly thrilled—because guess what? It means more paperwork. Every. Single. Year. These nine requirements now require a Targeted Risk Analysis (TRA) to justify the timing you choose. Let’s walk through each one and decide what might be best for your company.