← All risk registers
PCI DSS 4.0.1 · 22 ROWS · 5×5 SCORING

PCI DSS 4.0.1 Risk Register — 22 Risks for Targeted Risk Analysis (Req 12.3.1)

PCI DSS 4.0.1 introduced Requirement 12.3.1 — a Targeted Risk Analysis (TRA) for any control where the entity uses the 'customised' approach OR where frequency of activity is 'periodically'. This 22-row register is structured to feed your TRA: each row is a real CDE risk mapped to the requirement that mitigates it, with frequency-justification where relevant.

22
Risks identified
18
Critical inherent
0
Critical residual
PCI DSS 4.0.1
Framework
Who this is for
  • Merchants Level 1–4 (Self-Assessment Questionnaire to ROC)
  • Service providers approaching annual ROC + AOC
  • QSAs collecting client TRA evidence under 4.0.1 deadlines (March 31, 2025 cutover)
Methodology

PCI DSS 4.0.1 TRA prescribes structured analysis of threat, impact, likelihood, mitigating factors, and resulting frequency/strength of control. We use 1–5 L×I; controls reduce frequency or scope as documented.

Req 1 — Network

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-01Untrusted network reaches CDEFlat network without segmentation4×5=20Documented network segmentation w/ default-deny inbound to CDE; annual segmentation pen test.2×4=8MitigateNetwork SecurityReq 1.2 / 1.3

Req 2 — Configuration

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-02Default vendor passwords in CDENetwork appliance shipped with admin/admin still in place3×5=15Hardening standard for every device class; documented commissioning checklist.1×4=4MitigateITReq 2.2

Req 3 — Stored CHD

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-03Cardholder data stored unencryptedApp logs containing PAN3×5=15PAN tokenised at capture; logs scrubbed; quarterly PAN-discovery scan.1×4=4MitigateEngineeringReq 3.5 / 3.7
R-04Cryptographic key compromiseKeys stored alongside encrypted data2×5=10HSM-managed keys w/ split-knowledge / dual-control for key custodians; documented KMP.1×4=4MitigateCrypto CustodiansReq 3.6

Req 4 — Transmission

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-05CHD intercepted in transitTLS 1.0 still permitted on legacy endpoint3×5=15TLS 1.2+ enforced; quarterly cipher scan; legacy endpoints retired or wrapped.1×4=4MitigateSREReq 4.2

Req 5 — Malware

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-06Malware on CDE hostAV not deployed on Linux servers3×5=15EDR on every CDE asset (Win + Linux); 24/7 SOC monitoring; isolation playbook.2×4=8MitigateITReq 5.2

Req 6 — Secure Dev

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-07Web-app vulnerability exploited (OWASP Top 10)No SAST; no pen test4×5=20SAST/DAST in CI; annual third-party pen test; WAF in blocking mode.2×4=8MitigateEngineeringReq 6.4
R-08Unauthorised production changeDirect DB writes; no PR review4×5=20Change-management ticketing; PR + ≥1 reviewer; deploy-log audit trail.2×4=8MitigateEngineeringReq 6.5

Req 7 — Access

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-09Excessive CDE accessRole-based access poorly defined4×5=20RBAC w/ documented role definitions; least-privilege review quarterly.2×4=8MitigateITReq 7.2 / 7.3

Req 8 — Identity

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-10Shared admin account in CDE'pos-admin' shared by 6 staff4×5=20Unique IDs per user; named accounts only; PAM for break-glass scenarios.1×4=4MitigateITReq 8.2
R-11Single-factor admin accessPassword-only for admin actions in CDE4×5=20MFA required for ALL access into CDE (4.0.1 expanded scope from admin only).2×4=8MitigateITReq 8.4 / 8.5

Req 9 — Physical

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-12Physical media with CHD lostBackup tapes shipped without tracking3×5=15Bonded courier; chain-of-custody log; encryption mandatory.1×4=4MitigateFacilitiesReq 9.5 / 9.7
R-13Skimmer on POS terminalDevices not inspected3×5=15Documented POS inspection schedule; tamper-evident seals; staff training.2×4=8MitigateStore OpsReq 9.5.1

Req 10 — Logging

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-14Audit log gapAuth events not centralised4×4=16Centralised SIEM; 1-year online retention; daily review of high-risk events.2×3=6MitigateSecOpsReq 10.2 / 10.4
R-15Time-sync drift breaks forensicsHosts off NTP3×3=9Hardened NTP; alert on >5s drift.1×2=2MitigateSREReq 10.6

Req 11 — Testing

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-16Vulnerability scan staleQuarterly scans not run4×5=20Internal + external (ASV) quarterly scans; on-significant-change re-scan.2×4=8MitigateSecurityReq 11.3
R-17Pen test staleAnnual pen test missed; segmentation untested3×5=15Annual pen test (incl. segmentation per service provider); on-significant-change.1×4=4MitigateSecurityReq 11.4
R-18Change-detection gapFIM disabled on CDE3×4=12FIM (e.g., Tripwire / Wazuh) on critical CDE files; alerts to SOC.2×3=6MitigateSREReq 11.5

Req 12 — Policy

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-19Policies stale / unreadLast review > 12 months4×3=12Annual policy review; HRIS-tracked acknowledgement; tabletop schedule.2×2=4MitigateCISOReq 12.1

Req 12 — TRA

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-20TRA missing for customised approachUsing 'customised' frequency without documented TRA4×4=16TRA per 12.3.1 for every customised / periodic control; refreshed annually.1×3=3MitigateComplianceReq 12.3.1

Req 12 — Vendor

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-21Service provider non-compliantVendor's AOC missing or stale3×5=15Vendor management programme; AOC review pre-onboarding + annually; documented responsibilities.2×4=8MitigateVendor MgmtReq 12.8

Req 12 — IR

IDThreatVulnerabilityInherentControlResidualTreatmentOwnerReference
R-22Incident response plan untestedRunbook exists but never exercised3×5=15Annual IR tabletop; on-call rota; stakeholder comms tree; post-mortem template.2×4=8MitigateSecOpsReq 12.10
Email me the editable CSV
Spreadsheet-ready CSV — open in Excel, Google Sheets, or your GRC tool. One delivery email and one follow-up with the framework audit. No drip spam.
We'll never share your email. Unsubscribe with one click.

Common pitfalls auditors flag

FAQ

Is the TRA required for SAQ-A merchants?

Customised approach controls trigger TRA universally. Most SAQ-A merchants don't use customised approach, so TRA may not apply — but if you have ANY 'periodically' frequency control, TRA is required regardless of SAQ level.

When did 4.0.1 transition from optional to required?

March 31, 2025 was the cutover. Future-dated requirements (with 'best practices until') including 12.3.1 are now mandatory.

How does this register relate to Requirement 12.3.3 (cryptographic risk analysis)?

12.3.3 is a specialised TRA covering cryptographic suites & protocols. This register includes the high-level crypto risks; pair it with a dedicated crypto-suite TRA covering algorithm strength, key length, expiry.

Will this satisfy a QSA?

It's strong baseline evidence. Customise to your actual CDE — your network diagram, your data flows, your service providers — and walk it with your QSA at the start of the engagement.

Now run a free PCI DSS 4.0.1 audit on your existing policy

Drop your current policy or describe your environment — ComplianceIQ scores every clause against the framework and tells you which register rows are actually mitigated.

Start free PCI DSS 4.0.1 audit

Other framework registers

ISO 27001:2022
ISO 27001:2022 Risk Register (Annex A mapped)
30 pre-populated rows
SOC 2
SOC 2 Risk Register (TSC CC1–CC9 mapped)
28 pre-populated rows
HIPAA
HIPAA Risk Analysis Register (§164.308(a)(1)(ii)(A))
25 pre-populated rows
GDPR
GDPR Risk Register & DPIA Source
26 pre-populated rows