Outlining the PCI DSS v4.0 Customized Approach

April 26, 2022

  • PCI DSS v4.0 permits two approaches for implementing and validating PCI DSS requirements: the traditional method and a customized approach.
  • The customized approach allows risk-mature entities flexibility to meet PCI DSS security objectives while supporting and allowing for the design of controls that address evolving threats and technologies.
  • Organizations should validate controls according to which best suits their requirements.

 


 

The release of PCI DSS v4.0 introduced a more flexible framework that permits two approaches for implementing and validating PCI DSS requirements: the traditional method (defined approach) and a customized approach, which is new to v4.0. If you’re used to the traditional approach, this doesn’t change – you meet the PCI DSS requirement as it’s explicitly written. The customized approach, however, allows risk-mature entities flexibility to meet the security objectives of the PCI DSS while supporting and allowing for the design of controls that address evolving threats and technologies. When considering the two methods, entities should validate controls according to which best suits their organization.

 

But if organizations can design their own security controls, what happens to the previous way of meeting the PCI DSS requirements? Is this a fundamental change to the PCI DSS?

 

 

Differences Between the Methods

Let's understand the difference between the traditional defined approach and the new customized approach. Organizations following the defined approach will address the control processes for the requirements as written in PCI DSS v4.0. Most organizations will likely continue following the defined approach.

 

The customized approach means following a custom-developed set of controls adopted by the assessed entity, where most requirements are met following the defined approach. This method can be very granular; for example, the customization may address a single PCI requirement.

 

 

Planning for the Customized Approach

For organizations wishing to use the customized approach, there are some considerations that need to be addressed. First, they need to fully understand the requirement. The PCI DSS 4.0 standard provides the definition of the requirement and provides a separate customized approach objective outlining what must be addressed to meet the intent of the requirement. Second, the organization needs to determine if it’s already following the requirements as written. There’s no need to reinvent the wheel for a control that’s already being met. Lastly, if the standard approach isn’t being met, the organization should consider whether the control processes previously implemented (or planned) are suitable to meet the stated security objective.

 

If a customized approach is chosen, organizations must then design and prepare proposed controls to meet the security objective of the requirement and share them with their qualified security assessors (QSAs) to get feedback on whether the controls meet the stated security objective.

 

 

Creating a Customized Approach Control

The following criteria apply to the creation and use of a customized approach control:

 

  • PCI DSS 4.0 does not require a business justification for the customized approach. An organization can use it for any reason.
  • PCI DSS requirements can be addressed in a hybrid fashion, using both standard and customized approaches. The defined approach and customized approach can be split, even within a single requirement, as long as the security objective of the requirement is met.
  • Not every requirement can be met using the customized approach. The ones that require the standard approach are outlined in PCI DSS v4.0.
  • The same control processes could potentially be used to meet the security objectives of multiple requirements. Each requirement using the customized approach must be validated individually by the assessor.
  • Even though it's possible to meet many requirements using the customized approach, the assessment complexity increases with the number of requirements using it. As a matter of simplifying the assessment, organizations should try to minimize the number of requirements employing the customized approach.
  • Organizations should always obtain their assessor’s feedback on custom controls. Sharing them with the assessor should happen early, well before he PCI DSS v4.0 assessment. The assessor should be able to describe the expected level of effort involved in assessing the custom controls.
  • Organizations should make every effort to design and implement their own custom controls. QSAs must maintain independence from the assessed entity – should the QSA be involved in designing, developing or implementing the custom control, a separate QSA will be needed to test and evaluate the control.
  • Custom controls may need to show operating effectiveness over a period of time, such as daily, weekly, monthly or quarterly. Organizations should consider how they'll show the effective operating results.
  • Documentation is key to illustrating that custom controls are effective. As part of the overall control, the organization should collect and maintain evidence, which include policies, procedures, system configuration settings, reports, logs, screenshots, etc. The policies, procedures and other documentation should be aligned with and support the custom controls.
  • A targeted risk analysis is required for every customized approach control. This risk analysis is defined for the specific customized requirement, outlines the mischief the requirement is designed to prevent, describes the delta between the written requirement and what is being customized, and explains how the custom control will prevent any mischief. This targeted risk assessment is required and must be shared with the assessor. The PCI DSS v4.0 framework provides a risk analysis template.
  • Customized implementations are not supported when performing a self-assessment or using the self-assessment questionnaire (SAQ).

 

 

Looking Ahead

By framing the standard to meet security needs with flexibility for emerging technologies and allowing a customized approach, PCI DSS 4.0 is well positioned to address current and future technology and security challenges. Organizations wishing to use the customized approach should consider their environment and assessment requirements and involve their assessor at the earliest opportunity. The assessor can help organizations develop their customized plan, evaluate its effectiveness and tailor the test plan to meet the security objective of the PCI DSS requirements.

Brett Perry
Senior Consultant II | Optiv
Brett Perry brings nearly 25 years of experience in consulting and systems engineering. He has provided critical IT security guidance to clients ranging from small businesses to Fortune 500 corporations across a multitude of industries. His extensive experience as a subject matter expert in the Payment Card Industry - Data Security Standard (PCI-DSS) has allowed him to work across a wide range of business types, including retail operations, service providers, ecommerce and card brands, helping them to secure and protect their cardholder data.

Prior to joining Optiv, Brett was a senior security consultant for a PCI qualified assessment company (QSAC), where he spent 15 years conducting both onsite assessments as a QSA and performing quality assurance reviews on peer Reports on Compliance. Brett also brings IT security experience as a former senior systems engineer and Microsoft solutions network implementer.

Optiv Security: Secure greatness.™

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Related Insights

Image
creative_image-set-pci-march-blog-list-image

 

PCI DSS 4.0 Is Here: When Does My Company Need To Be Ready?

 

Some companies should update to PCI DSS v4.0 now, while others should wait. This post features helpful details and advice on how to begin preparing.

Image
creative_image-set-2-pci-march-blog-list-image

 

PCI DSS 4.0: A Primer

 

The new Payment Card Industry Data Security Standard – version 4.0 – has been released. This post explores the details of the new standard.

Image
CPI_Risk_PCI_ServiceBrief_Images_List-Section-Thumbail-Image_476x210

 

Payment Card Industry (PCI) Advisory Services

 

Our PCI Advisory Services can build around your specific context, helping you to untangle competing requirements from multiple regulations.