In PCI DSS v4.0, custom controls are allowed to be implemented for most requirements to the extent that customized controls are needed to meet PCI DSS requirements.
The customized approach is also intended to provide a framework to allow the design of controls that address evolving threats, evolving technologies, and allow for more flexibility and support to meet the security objectives of the PCI DSS. The customized approach allows assessed entities to show they are meeting the stated security objectives of related PCI DSS requirements thus demonstrating compliance with the PCI DSS.
So, where to start? When should a customized approach be used?
What is the Difference in Approaches to PCI DSS v4.0?
Let's understand the difference between the defined approach, which is the standard or traditional assessment approach, and the customized approach.
- The defined approach means following the control processes for the requirements already laid out in PCI DSS v4.0. Most organizations will probably follow the defined approach.
- The customized approach means following a custom control process, or controls adopted by the assessed entity, that may be somewhat different from the defined approach but still meet the stated security objective of the requirement.
PCI DSS v4.0 allows for a hybrid approach where most requirements are met following the defined approach and one or more requirements are met following the customized approach.
3 Things to Consider Before Using PCI DSS v4.0's Customized Approach
- First, understand the requirements.
- Second, determine if you're already following the defined approach for each requirement applicable to your cardholder data environment (CDE).
- Third, where you're not already following the defined approach, consider whether the control processes you have implemented or plan to implement are adequate to meet the stated security objective of the requirement.
If you need to consider the customized approach for your environment, prepare proposed controls designed to meet the security objective of the requirement and share them with you assessor to get feedback on whether the controls are acceptable to meet the stated security objective of the related requirement.
Qualified security assessors (QSAs) are required to be trained in the customized approach in order to be qualified to review and determine the acceptability of custom controls designed by assessed entities. QSAs trained in the customized approach are an excellent resource for working through the process of setting in place controls designed to meet the customized approach.
Tips For Getting Started With PCI DSS v4.0's Customized Approach
As you do move forward with potentially taking the customized approach to controls, here are some tidbits to keep in mind:
A business justification is NOT required to use the customized approach for any requirement.
Even within a single requirement, the defined approach and customized approach can be split in meeting different aspects of the requirement as long as the security objective of the requirement is met.
There are some requirements that explicitly cannot be met using the customized approach. These requirements are outlined in PCI DSS v4.0.
Compliance with other frameworks does not substitute for meeting a PCI requirement. Each requirement met using the customized approach must be validated individually by the assessor.
The same control processes could potentially be used to meet the security objectives of multiple requirements. But still, each requirement using the customized approach must be validated individually by the assessor.
Even though it's possible to meet many requirements using the customized approach, the complexity of your assessment increases each time you do. As a matter of simplifying your assessment, try to minimize the number of requirements that are met using the customized approach.
This cannot be emphasized enough: involve your assessor in obtaining their feedback on custom controls you plan to use to meet PCI DSS v4.0 requirements. The proper time to share the custom controls with your assessor is likely before engaging them to perform your PCI DSS v4.0 assessment. Your engagement of the assessor is likely to describe the expected level of effort involved in assessing your custom controls. Avoid surprising your assessor with custom controls after the assessment has started.
Remember that custom controls may need to show operating effectiveness over a period of time, such as daily, weekly, monthly, or quarterly activities. Consider how you'll show that your custom controls are operating effectively over a period of time. Documentation, documentation, documentation!
Evidence to show custom controls are in place likely include policies, procedures, system configuration settings, reports, logs, screenshots, etc. Ensure that your policies, procedures, and other documentation are aligned with and support your custom controls.
Customized implementations will require a risk analysis that is shared with your assessor following the PCI DSS v4.0 risk analysis template.
Customized implementations are not supported when performing a self-assessment or using the self-assessment questionnaire (SAQ).
The customized approach provides flexibility that has been long desired in past PCI DSS versions, but it also also adds complexity to your assessment. To ensure that you understand as much as possible regarding the new standard, check out our content that deconstructs several different aspects:
- What to Expect with the PCI DSS v4.0 Release (video)
- What Service Providers Should Know About PCI DSS v4.0 (article)
- Decrypting the New Cryptographic Requirements in PCI DSS v4.0
About the AuthorMore Content by Eric Sampson