When must merchants conduct a risk assessment according to PCI DSS?

Merchants must conduct a risk assessment regularly and when significant changes are made to their payment systems, according to the Payment Card Industry Data Security Standard (PCI DSS). This requirement ensures that organizations remain aware of evolving risks associated with their environment throughout the year, rather than only during specific triggers like data breaches or employee changes.

Regular assessments allow merchants to identify and address new vulnerabilities proactively, such as those arising from changes in technology, business processes, or threats. By reassessing risks regularly and following significant changes, merchants can implement appropriate security measures to protect cardholder data effectively and maintain compliance with PCI DSS requirements. This approach is fundamental to fostering a secure payment environment and minimizing potential security risks that may arise from dynamic business conditions.