Now the PC says version 4 has been released. A lot of companies are wondering what the difference between a customized approach and a defined approach for validating a requirement is.
Hi, I'm Matt Crane. I'm a manager here in the PCI practice for Schellman. Today, we're going to go over the difference between a defined approach and a customized approach when validating a requirement under PCI DSS version 4.
The primary difference between the defined approach and the customized approach is a defined approach is what we all know and love, and it's been around with PCI DSS since the original standard was published in the early 2000s. The customized approach is kind of a mix between what we've previously seen with customized controls and the defined approach in that it's focused on an objective defined for the requirement. So when we look at the requirements that are in PCI DSS version 4, even the existing ones we've seen before, those requirements have an objective statement. If an organization determines they want to meet the objective instead of meeting the defined requirement, what they'll essentially do is they'll work with their QSA to go through the objective, determine what the validation methods will be, and then the QSA will create a separate set of testing procedures to validate that customized control, and it will give organizations a lot of flexibility in the way they're meeting these requirements.
Now that you have a general understanding of the difference between a defined approach and a customized approach, feel free to reach out to us by filling out the form.
About the Author
More Content by Matt Crane
