Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
April 26, 2022
The release of PCI DSS v4.0 introduced a more flexible framework that permits two approaches for implementing and validating PCI DSS requirements: the traditional method (defined approach) and a customized approach, which is new to v4.0. If you’re used to the traditional approach, this doesn’t change – you meet the PCI DSS requirement as it’s explicitly written. The customized approach, however, allows risk-mature entities flexibility to meet the security objectives of the PCI DSS while supporting and allowing for the design of controls that address evolving threats and technologies. When considering the two methods, entities should validate controls according to which best suits their organization.
But if organizations can design their own security controls, what happens to the previous way of meeting the PCI DSS requirements? Is this a fundamental change to the PCI DSS?
Let's understand the difference between the traditional defined approach and the new customized approach. Organizations following the defined approach will address the control processes for the requirements as written in PCI DSS v4.0. Most organizations will likely continue following the defined approach.
The customized approach means following a custom-developed set of controls adopted by the assessed entity, where most requirements are met following the defined approach. This method can be very granular; for example, the customization may address a single PCI requirement.
For organizations wishing to use the customized approach, there are some considerations that need to be addressed. First, they need to fully understand the requirement. The PCI DSS 4.0 standard provides the definition of the requirement and provides a separate customized approach objective outlining what must be addressed to meet the intent of the requirement. Second, the organization needs to determine if it’s already following the requirements as written. There’s no need to reinvent the wheel for a control that’s already being met. Lastly, if the standard approach isn’t being met, the organization should consider whether the control processes previously implemented (or planned) are suitable to meet the stated security objective.
If a customized approach is chosen, organizations must then design and prepare proposed controls to meet the security objective of the requirement and share them with their qualified security assessors (QSAs) to get feedback on whether the controls meet the stated security objective.
The following criteria apply to the creation and use of a customized approach control:
By framing the standard to meet security needs with flexibility for emerging technologies and allowing a customized approach, PCI DSS 4.0 is well positioned to address current and future technology and security challenges. Organizations wishing to use the customized approach should consider their environment and assessment requirements and involve their assessor at the earliest opportunity. The assessor can help organizations develop their customized plan, evaluate its effectiveness and tailor the test plan to meet the security objective of the PCI DSS requirements.
Optiv Security: Secure greatness.™
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to more than 7,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
PCI DSS 4.0 Is Here: When Does My Company Need To Be Ready?
Some companies should update to PCI DSS v4.0 now, while others should wait. This post features helpful details and advice on how to begin preparing.
PCI DSS 4.0: A Primer
The new Payment Card Industry Data Security Standard – version 4.0 – has been released. This post explores the details of the new standard.
Payment Card Industry (PCI) Advisory Services
Our PCI Advisory Services can build around your specific context, helping you to untangle competing requirements from multiple regulations.
Let us know what you need, and we will have an Optiv professional contact you shortly.