What Are the Impact Analysis Requirements for PCI DSS Compliance

Change documentation should include assessing the change’s impact so that all impacted parties may plan adequately for any processing adjustments, according to PCI DSS requirement 6.4.5.1.

The term “impact analysis” refers to the process of determining the impact of changes to a deployed application. Impact analysis provides information about areas of the system affected by a change in a particular part of the application or its features.

See Also: PCI Web Application Security Requirements

The impact is analyzed on Requirements, Design and Architecture, Impact on Test, and Impact on the program.

Controlling the impact of new features or modifications on the system’s performance becomes critical as new features or changes are added to the application. Therefore, Impact Analysis is done.

The Impact Analysis document can be used as a checklist. For low-risk modifications, templates can be helpful as a checklist, but not every element needs to be filled out. However, the template can be too restrictive; it’s a good guideline to consider who the audience will be instead.

See Also: How to Perform Code Reviews for PCI Requirements

For non-technical managers, it’s better to focus on the business rationale for the change. The Impact Analysis document should provide details such as:

• Brief description of the problem
• How the defect caused the failure
• Complexity estimation
• Estimate cost and time for correction
• Functionality to be tested
• New test cases created for change
• Reference document or technical specification requirements

Who are the affected parties?

Affected parties depend on your environment, but consider the following:

• Reviewers
• Testers
• Document authors
• Users
• Database Administrators
• Identity and Access Managers
• Support Team
• Business process owners
• Risk owners
• Privacy owners

What kinds of effects need to be documented?

• How are changes tested?
• What is the expected outcome of the change?
• If a field no longer allows a particular input type, or if a new field has been added.
• If you’ve switched to a new payment processor,
• If the logs are discovered to contain sensitive information
• If the cryptographic conditions have changed and what consequences might this have?
• Whether storage requirement estimates will change
• Whether bandwidth requirements will increase
• Whether new API functions have been added or existing ones have been modified.
• What impact will the change have on PCI DSS compliance?

What types of tests should be done?

• Static and dynamic testing of the application
• Static and dynamic testing of servers
• Database schema reviews
• Database content review
• Log content review
• API function review and log entries made by all API calls
• Cryptographic compatibility reviews
• Diagnostics and enhanced logging feature review
• If changes include customer sign-in facilities, management reviews
• Management reviews if an end-user has access to card information after submission

Ensure the test request does not include any information about the portions of the project affected by the changes before beginning the Impact Analysis. The communication between the developer and the tester must continue to avoid missing any changes needed to implement in the final product.

See Also: Best Practices and Recommendations for API Security

Determine if any UI changes, deletions, or additions are necessary. Estimate the number of acceptance, system, or integration test cases that will be required. Describe the impact of the proposed change on another project plan, configuration management plan, or quality assurance plan.

• The Impact Analysis document is essential, especially in large-scale projects where programmers work in geographically diverse locations.
• The lead must approve the Impact Analysis document to ensure that the change will not affect the other component working well in production.
• Impact Analysis is required to ensure the requirement is fully understood and all components to be replaced have been identified to avoid rework.
• Impact Analysis is also necessary for the accountability of customer stakeholders. Otherwise, the developer will be the scapegoat if something goes wrong after deployment.
• Impact Analysis is the basis of forecasting. So without documentation of impact, the prediction has no basis whatsoever; it may be too high or too low. It’s also easy to explain if it exceeds the actual effort with Impact Analysis.

Testing guidance for PCI DSS Requirement 6.4.6 requires QSA to look at all documents produced as part of a material change, including any or all of the above change management and supplemental paperwork. Therefore, QSA will check your impact analysis documents during the PCI audit.