The Differences Between the Defined and Customized Approach in PCI DSS v4.0

Now the PC says version 4 has been released. A lot of companies are wondering what the difference between a customized approach and a defined approach for validating a requirement is.

Hi, I'm Matt Crane. I'm a manager here in the PCI practice for Schellman. Today, we're going to go over the difference between a defined approach and a customized approach when validating a requirement under PCI DSS version 4.

The primary difference between the defined approach and the customized approach is a defined approach is what we all know and love, and it's been around with PCI DSS since the original standard was published in the early 2000s. The customized approach is kind of a mix between what we've previously seen with customized controls and the defined approach in that it's focused on an objective defined for the requirement. So when we look at the requirements that are in PCI DSS version 4, even the existing ones we've seen before, those requirements have an objective statement. If an organization determines they want to meet the objective instead of meeting the defined requirement, what they'll essentially do is they'll work with their QSA to go through the objective, determine what the validation methods will be, and then the QSA will create a separate set of testing procedures to validate that customized control, and it will give organizations a lot of flexibility in the way they're meeting these requirements.

Now that you have a general understanding of the difference between a defined approach and a customized approach, feel free to reach out to us by filling out the form

About the Author

Matt Crane

Matthew Crane is a Manager with Schellman & Company, LLC. Prior to joining Schellman in July of 2017, Matt worked as a Security Consultant Team Lead, specializing in PCI and NIST CSF assessments. As a Manager with Schellman, Matt is focused primarily on PCI-DSS Compliance for organizations across various industries.

More Content by Matt Crane
Previous Video
What is the SSPA Process?
What is the SSPA Process?

Next Video
The Cost of a GDPR Assessment
The Cost of a GDPR Assessment