PCI DSS v4.0: Compensating Controls vs Customized Approach

A primary goal for PCI DSS v4.0 is to increase flexibility for organizations using different methods to achieve security objectives. One way the standard does this is with the introduction of the Customized Approach. We talk with Lauren Holloway, Director of Data Security Standards, to address some common questions about the Customized Approach.

What’s the Difference Between Compensating Controls and the Customized Approach?

Lauren Holloway: PCI DSS v4.0 offers two ways for an entity to implement and validate PCI DSS requirements – the defined approach and customized approach. The defined approach is the traditional method for implementing and validating PCI DSS controls; it is what entities are doing now to meet PCI DSS v3.2.1 requirements. Compensating controls are still an option within the defined approach for entities that have a legitimate and documented technical or business constraint that prevents them from meeting the Defined Approach Requirement as stated. Compensating controls are often used in situations where there is a legacy system or process that cannot be updated to meet the requirement.

In PCI DSS v4.0, a clarification was made for compensating controls in Appendix B that compensating controls cannot be used to retroactively address a requirement that was missed in the past. It was never the intent that compensating controls could be used, for example, where a task that should have been performed, was not performed, and no action was taken at that time to address it.

It is important to note that compensating controls serve a different purpose than the customized approach. Unlike compensating controls, which are used when organizations have a constraint and are unable to meet the requirement as stated, the customized approach is for entities that choose to meet the requirement differently than is stated. In this case, the entity must meet the stated Customized Approach Objective instead of the stated requirement. The customized approach is most successful when the entity has robust security processes and strong risk management practices and is able to effectively design, document, test, and maintain security controls to meet that objective.

PCI DSS v4.0 Requirement 12.3.2 and Appendices D and E describe all elements of the customized approach, including the elements of the required targeted risk analysis, responsibilities of both the entity and assessor, and sample templates with information that must be included by the entity to document the customized approach.

In PCI DSS v4.0, refer to Figure 5 Understanding the Parts of the Requirements to identify the locations of the Defined Approach Requirement and Customized Approach Objective for each requirement.

Can compensating controls be used to meet the Customized Approach Objective?

Lauren Holloway: No. Compensating controls are not an option with the customized approach. The customized approach is for organizations that chose to develop their own controls that meet the requirement’s Customized Approach Objective. It would not make sense for an organization to also develop an alternative compensating control because the customized implementation that the organization developed cannot meet the Customized Approach Objective.

Can compensating controls and customized approach be used for the same requirement?

Lauren Holloway: Yes. An entity can use compensating controls for certain system components and the customized approach to meet that same requirement for other system components. Taking Requirement 5.3.1 as an example, an entity could use a compensating control to meet that requirement for a certain type of server where there is a legitimate and documented business constraint that prevents that server from meeting the stated requirement. The entity may also choose to use the customized approach to meet that same requirement for other system components, where it has implemented a unique approach to detect and address the latest malware threats. The entity could also use the defined approach as stated, to meet that same requirement for another group of system components.

Subscribe to the blog to be notified for the next post on this topic- which will include more information about the customized approach, including tasks and responsibilities of both the entity and assessor, and important points to consider before selecting the customized approach.