Ask the Assessors - CMMC Edition! Join us Thursday, December 14th @ 1:00 PM (EST)

Learn More and Register
Contact a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Articles
Whitepapers
Video
Case Studies
Events & Live Webinars
On-Demand Webinars
Schellman Training
Visit the Learning Center
Our Process
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Learning Center
Visit the Learning Center
Articles
Articles
Whitepapers
Whitepapers
Video
Video
Case Studies
Case Studies
Events & Live Webinars
Events & Live Webinars
On-Demand Webinars
On-Demand Webinars
Schellman Training
Schellman Training
Our Process
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Contact a Specialist

«  View All Posts

Preparing for the PCI DSS Customized Approach Blog Feature
ERIC SAMPSON

By: ERIC SAMPSON

Print/Save as PDF

Preparing for the PCI DSS Customized Approach

Payment Card Assessments | PCI DSS v4.0

 

In PCI DSS v4.0, custom controls are allowed to be implemented for most requirements to the extent that customized controls are needed to meet PCI DSS requirements.

The customized approach is also intended to provide a framework to allow the design of controls that address evolving threats, evolving technologies, and allow for more flexibility and support to meet the security objectives of the PCI DSS. The customized approach allows assessed entities to show they are meeting the stated security objectives of related PCI DSS requirements thus demonstrating compliance with the PCI DSS.

So, where to start?  When should a customized approach be used?

What is the Difference in Approaches to PCI DSS v4.0?

 

Let's understand the difference between the defined approach, which is the standard or traditional assessment approach, and the customized approach. 

  • The defined approach means following the control processes for the requirements already laid out in PCI DSS v4.0.  Most organizations will probably follow the defined approach. 
  • The customized approach means following a custom control process, or controls adopted by the assessed entity, that may be somewhat different from the defined approach but still meet the stated security objective of the requirement. 

PCI DSS v4.0 allows for a hybrid approach where most requirements are met following the defined approach and one or more requirements are met following the customized approach.

3 Things to Consider Before Using PCI DSS v4.0's Customized Approach

  1.  First, understand the requirements
  2. Second, determine if you're already following the defined approach for each requirement applicable to your cardholder data environment (CDE). 
  3. Third, where you're not already following the defined approach, consider whether the control processes you have implemented or plan to implement are adequate to meet the stated security objective of the requirement. 

If you need to consider the customized approach for your environment, prepare proposed controls designed to meet the security objective of the requirement and share them with you assessor to get feedback on whether the controls are acceptable to meet the stated security objective of the related requirement.

Qualified security assessors (QSAs) are required to be trained in the customized approach in order to be qualified to review and determine the acceptability of custom controls designed by assessed entities.  QSAs trained in the customized approach are an excellent resource for working through the process of setting in place controls designed to meet the customized approach.

Tips For Getting Started With PCI DSS v4.0's Customized Approach

As you do move forward with potentially taking the customized approach to controls, here are some tidbits to keep in mind:

  • A business justification is NOT required to use the customized approach for any requirement.

  • Even within a single requirement, the defined approach and customized approach can be split in meeting different aspects of the requirement as long as the security objective of the requirement is met.

  • There are some requirements that explicitly cannot be met using the customized approach.  These requirements are outlined in PCI DSS v4.0.

  • Compliance with other frameworks does not substitute for meeting a PCI requirement.  Each requirement met using the customized approach must be validated individually by the assessor.

  • The same control processes could potentially be used to meet the security objectives of multiple requirements.  But still, each requirement using the customized approach must be validated individually by the assessor.

  • Even though it's possible to meet many requirements using the customized approach, the complexity of your assessment increases  each time you do. As a matter of simplifying your assessment, try to minimize the number of requirements that are met using the customized approach.

  • This cannot be emphasized enough: involve your assessor in obtaining their feedback on custom controls you plan to use to meet PCI DSS v4.0 requirements.  The proper time to share the custom controls with your assessor is likely before engaging them to perform your PCI DSS v4.0 assessment.  Your engagement of the assessor is likely to describe the expected level of effort involved in assessing your custom controls.  Avoid surprising your assessor with custom controls after the assessment has started.

  • Remember that custom controls may need to show operating effectiveness over a period of time, such as daily, weekly, monthly, or quarterly activities.  Consider how you'll show that your custom controls are operating effectively over a period of time.  Documentation, documentation, documentation!

  • Evidence to show custom controls are in place likely include policies, procedures, system configuration settings, reports, logs, screenshots, etc.  Ensure that your policies, procedures, and other documentation are aligned with and support your custom controls.

  • Customized implementations will require a risk analysis that is shared with your assessor following the PCI DSS v4.0 risk analysis template.

  • Customized implementations are not supported when performing a self-assessment or using the self-assessment questionnaire (SAQ).

The customized approach provides flexibility that has been long desired in past PCI DSS versions, but it also also adds complexity to your assessment. To ensure that you understand as much as possible regarding the new standard, check out our content that deconstructs several different aspects:

About ERIC SAMPSON

Eric Sampson is a Manager at Schellman. Eric began his professional career in 2005 while working as an IT auditor in Philadelphia. Eric executed several critical projects for clients in the areas of information security and Service Organization Controls (SOC) reporting projects. To date, Eric has provided services to clients in the healthcare, information technology, and financial services industries, among others.

Schellman

4010 W Boy Scout Boulevard, Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S. 1.813.288.8833

Services
Industries
Resources
Company

© SchellmanPrivacy PolicyTerms

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.