Preparing for the PCI DSS Customized Approach

In PCI DSS v4.0, custom controls are allowed to be implemented for most requirements to the extent that customized controls are needed to meet PCI DSS requirements.  Version 4.0 of the DSS will no longer permit compensating controls, and the customized approach is intended to replace compensating control use.  But it's also much more.  The customized approach is also intended to provide a framework to allow the design of controls that address evolving threats, evolving technologies, and allow for more flexibility and support to meet the security objectives of the PCI DSS.  The customized approach allows assessed entities to show they are meeting the stated security objectives of related PCI DSS requirements thus demonstrating compliance with the PCI DSS.

So, where to start?  When should a customized approach be used?

Let's understand the difference between the defined approach, which is the standard or traditional assessment approach, and the customized approach.  The defined approach means following the control processes for the requirements already laid out in PCI DSS v4.0.  Most organizations will probably follow the defined approach.  The customized approach means following a custom control process, or controls adopted by the assessed entity, that may be somewhat different from the defined approach but still meet the stated security objective of the requirement.  PCI DSS v4.0 allows for a hybrid approach where most requirements are met following the defined approach and one or more requirements are met following the customized approach.

There are 3 things you should know before considering the customized approach.  First, understand the requirements.  Second, determine if you're already following the defined approach for each requirement applicable to your cardholder data environment (CDE).  Third, where you're not already following the defined approach, consider whether the control processes you have implemented or plan to implement are adequate to meet the stated security objective of the requirement.  If you need to consider the customized approach for your environment, prepare proposed controls designed to meet the security objective of the requirement and share them with you assessor to get feedback on whether the controls are acceptable to meet the stated security objective of the related requirement.

Qualified security assessors (QSAs) are required to be trained in the customized approach in order to be qualified to review and determine the acceptability of custom controls designed by assessed entities.  QSAs trained in the customized approach are an excellent resource for working through the process of setting in place controls designed to meet the customized approach.

What are some tips on getting started with using the customized approach?

  • A business justification is NOT required to use the customized approach for any requirement.

  • Even within a single requirement, the defined approach and customized approach can be split in meeting different aspects of the requirement as long as the security objective of the requirement is met.

  • There are some requirements that explicitly cannot be met using the customized approach.  These requirements are outlined in PCI DSS v4.0.

  • Compliance with other frameworks does not substitute for meeting a PCI requirement.  Each requirement met using the customized approach must be validated individually by the assessor.

  • The same control processes could potentially be used to meet the security objectives of multiple requirements.  But still, each requirement using the customized approach must be validated individually by the assessor.

  • The complexity of an assessment increases with each customized approach process being implemented.  Even though it's possible to meet many requirements using the customized approach, the assessment complexity increases with the number of requirements using the customized approach.  As a matter of simplifying your assessment, try to minimize the number of requirements that are met using the customized approach.

  • This cannot be emphasized enough: involve your assessor in obtaining their feedback on custom controls you plan to use to meet PCI DSS v4.0 requirements.  The proper time to share the custom controls with your assessor is likely before engaging them to perform your PCI DSS v4.0 assessment.  Your engagement of the assessor is likely to describe the expected level of effort involved in assessing your custom controls.  Avoid surprising your assessor with custom controls after the assessment has started.

  • Remember that custom controls may need to show operating effectiveness over a period of time, such as daily, weekly, monthly, or quarterly activities.  Consider how you'll show that your custom controls are operating effectively over a period of time.  Documentation, documentation, documentation!

  • Evidence to show custom controls are in place likely include policies, procedures, system configuration settings, reports, logs, screenshots, etc.  Ensure that your policies, procedures, and other documentation are aligned with and support your custom controls.

  • Customized implementations will require a risk analysis that is shared with your assessor following the PCI DSS v4.0 risk analysis template.

  • Customized implementations are not supported when performing a self-assessment or using the self-assessment questionnaire (SAQ).

As you consider your environment and assessment approach needs, be sure to involve your assessor.  The customized approach provides flexibility that has been long desired in past PCI DSS versions.  But using the customized approach also adds complexity to your assessment.  Your assessor can help you navigate the complexity of meeting PCI DSS v4.0.

About the Author

Eric Sampson

Eric Sampson is a Senior Manager with Schellman & Company, LLC. Prior to joining Schellman in 2008, Eric specialized in security assessments, GLBA, ISO, global privacy, and penetration testing assessments. At Schellman, Eric is focused primarily on PCI, SOC, and WebTrust for Certification Authorities (CA) examinations for organizations across various industries. Eric has over 15 years of experience comprised of serving clients in various industries including cloud and technology service providers, healthcare, and financial services, among others. Eric has led hundreds of project engagements in the areas of PCI, System and Organization (SOC) examinations (SOC 1, SOC 2, SOC 3), WebTrust for CAs, HIPAA, Federal PKI, and agreed-upon procedures. Eric contributes significantly to internal methodologies and team development. Eric also has notable training, knowledge, and professional services contributions among the areas of US and European Union privacy regulations, ISO 27001, NIST 800-53, and HITRUST.

More Content by Eric Sampson
Previous Article
Schellman Now a PCI ASV
Schellman Now a PCI ASV

Schellman expands services and becomes Payment Card Industry (PCI) Approved Scanning Vendor (ASV)

Next Article
Making PCI DSS Compliance Cloud-Native
Making PCI DSS Compliance Cloud-Native

Schellman's David Baca provides an in-depth look at how organizations can use cloud-native tools to meet co...