PCI DSS v4.0: Is the Customized Approach Right For Your Organization?

This blog is the second in a series of articles on the customized approach. The first article provided a high-level overview of the customized approach and explored the difference between compensating controls and the customized approach. This article focuses on considerations for entities thinking about implementing a customized approach, and includes the customized approach resources provided in PCI DSS for the assessed entity and in the PCI DSS Report on Compliance Template for the assessor.

The customized approach was introduced in PCI DSS v4.0 to support increased flexibility for organizations using different methods to achieve security objectives. The customized approach was developed in response to feedback from our stakeholders that they wanted more flexibility to use innovative technologies to achieve security objectives. These new technologies often do not fit within the traditional approach for implementing and validating PCI DSS.

We talk with Lauren Holloway, Director of Data Security Standards, to address some common questions about the customized approach.

Who decides whether an entity should implement a customized approach?

Lauren Holloway: Each entity determines how it will meet PCI DSS requirements, including whether to follow the defined approach or the customized approach.

The defined approach is the approach entities and assessors have been using for years to implement and validate PCI DSS requirements and it continues to be an option in PCI DSS v4.0. This approach is suited for organizations that already have controls in place to meet a requirement and are comfortable with the current methods for validating those controls. It is also suitable for organizations that are new to PCI DSS and may be looking for more specific direction on how to meet security objectives.

The customized approach is an alternative to the defined approach and focuses on a PCI DSS requirement’s stated Customized Approach Objective. This approach provides greater flexibility and is suited for organizations that want to use alternate security controls or new technologies that meet the PCI DSS Customized Approach Objective.

It is important that the entity and assessor collaborate to ensure that the assessor fully understands the customized controls designed by the organization, and that the entity understands the derived testing that the assessor will perform.

Entities wishing to use the customized approach should consult with their compliance-accepting entity (acquirers or payment brands) to understand any related requirements or impacts.

When should an organization decide to use a customized approach?

Lauren Holloway: The use of the customized approach will require greater initial effort by the organization to ensure the controls are properly implemented, supported by all the required documentation, and can be effectively assessed. Having a customized implementation that is properly thought out, documented, tested, and maintained by the entity will facilitate an effective customized assessment process by providing the assessor with accurate, detailed information about how the controls work. This in turn will help the assessor determine the appropriate testing necessary to validate the implementation.

It is recommended that the entity design, implement, and document its controls for a customized approach long before the PCI DSS assessment begins.

What else should an entity consider when deciding whether to implement a customized approach?

Lauren Holloway: The customized approach is not intended to be used as a workaround to avoid having to meet PCI DSS requirements as stated, nor is it intended to address situations where the organization realizes during an assessment that it has not met the requirement as stated.

If an entity does decide during an assessment to implement a customized approach, this will most likely significantly delay the assessment while the entity designs, implements, and documents its customized controls.

What type of entities is the customized approach intended for?

Lauren Holloway: Organizations implementing a customized approach are expected to design, implement, and maintain their controls to meet the Customized Approach Objective and to ensure the control’s ongoing effectiveness. This is why the customized approach is intended for risk-mature organizations that demonstrate a robust risk-management approach to security.

Having risk maturity is strongly recommended because it will contribute to the success of an organization’s customized approach. It will help the organization to better understand and satisfy the requirement’s Customized Approach Objective, and effectively fulfill all the necessary documentation requirements spelled out in PCI DSS.

An entity that needs a QSA’s help to design or implement a customized control may not be a good candidate for the customized approach since it may be difficult for that entity to maintain the control and ensure it continues to operate effectively.

Typical characteristics of a risk-mature organization include:

• An established risk-management program that defines an organization-wide approach for managing risk.
• Senior executives ensure that risk is considered across all lines of business.
• The relationship between risk and organizational objectives is clearly understood and considered when making decisions.
• Risk-management practices are formally approved and expressed within organizational policies.
• Personnel are specifically trained and qualified to conduct technically complex risk analyses.
• Consistent monitoring of risk to organizational assets.
• Proactively adapting to the changing threat and technology landscape.
• Methods are in place to continuously improve and respond effectively to changes in risk.

Examples of recognized mature risk management approaches include those developed by ISO, NIST, MITRE, and COSO.

Customized Approach Resources

The following customized approach resources are included in PCI DSS:

• Section 8: Approaches for Implementing and Validating PCI DSS – provides an overview of the defined approach, compensating controls, and the customized approach.
• Requirement 12.3.2 – establishes the requirement that entities implementing a customized approach must perform targeted risk analyses for each impacted requirement.
• Appendix D: Customized Approach – spells out the criteria that must be satisfied by entities implementing a customized approach and by assessors performing assessments of customized controls.
• Appendix E: Sample Templates to Support the Customized Approach
  • Appendix E1: Sample Controls Matrix Template – provides a template that entities may use and specifies the minimum information that entities must include in their Controls Matrix.
  • Appendix E2: Sample Targeted Risk Analysis Template – provides a template that entities may use and specifies the minimum information that entities must include in their Targeted Risk Analysis.

The following customized approach resources are included in the PCI DSS ROC Template:

• Part II: Findings and Observations – At each affected requirement, the assessor indicates where an entity used a customized control to meet that requirement, and for which aspects of that requirement.
• Appendix E: Customized Approach Template – the assessor uses this template to document each instance where a customized control is used to meet a PCI DSS requirement.

Subscribe to the blog to be notified when the third post in this series is published. The third article will focus on roles and responsibilities for the customized approach, both for the entity developing and implementing a customized approach and for the assessor when reviewing a customized approach as part of a PCI DSS assessment.