# PCI DSS v4.x Sample Template: Targeted Risk Analysis for Activity # Frequency The following is a sample template that an entity may use to document a targeted risk analysis (TRA) for any PCI DSS requirement that specifies completion of a TRA to define how frequently an entity performs an activity. **_Note_**: _While it is not required that an entity follows the specific format provided here, the entity’s targeted risk analysis must include all this information, as defined in [[12.3.1 requirement guidance\|PCI DSS v4.x Requirement 12.3.1]]._ ## PCI DSS Requirement Number: --- - Date of initial TRA: --- - Date of most recent review of the TRA to confirm the results are still valid. --- ### Item / Details --- 1. Identify the Asset(s) being protected. --- 2. Identify the threat(s) that the requirement is protecting against. --- 3. Identify the factor(s) that contribute to the likelihood and/or impact of the threat being realized. --- 4. Describe the analysis of and justification for how frequently the requirement must be performed to minimize the likelihood of the threat being realized. --- 5. Is an updated analysis needed, based on an annual review? --- 6. Are there defined and documented policies and procedures for performing the entity’s targeted risk analyses (TRA) consistently?