A targeted risk analysis, as the name suggests is a risk analysis focused on a narrow scope, often an asset, a threat, or a control. Its purpose is to determine risk and help define aspects of risk management practices.
Various requirements in PCI DSS v4.0 and earlier have controls that are periodic or are activated on a regular interval. Some common intervals have been daily, quarterly, annually, etc. While these intervals are common, many entities wanted more flexibility as to when and how often some activities can be undertaken.
PCI DSS v4.0 has introduced the concept of Targeted Risk Analysis to help define the periodicity of certain requirements. This ability to define how often an action needs to be repeated adds considerable flexibility to implementing the control. Several requirements in PCI DSS v4.0 now allow an entity to perform a Targeted Risk Analysis which can help determine how often that action should be repeated to maintain a certain level of risk. For example, requirement 18.104.22.168 allows the entity to define, using a Targeted Risk Analysis, how often “All access by application and system accounts and related access privileges are reviewed.”