Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What you Need to Know About the PCI DSS Customized Approach

Payment Card Assessments | PCI DSS

Published: Jan 19, 2021

Last Updated: May 21, 2025

 
In PCI DSS v4.0.1, custom controls are allowed to be implemented for most requirements to the extent that customized controls are needed to meet PCI DSS requirements. 

The customized approach is also intended to provide a framework that permits the design of controls that address evolving threats and technologies and allow for more flexibility and support to meet the security objectives of the PCI DSS. The customized approach allows assessed entities to show they are meeting the stated security objectives of related PCI DSS requirements thus demonstrating compliance with the PCI DSS. 

That all said, it can be difficult to navigate where to start and how to know when a customized approach should be used. In this article, we’ll explore the differences between defined and customized approaches, key considerations before using the customized approach, common pitfalls to avoid, and tips for getting started. This way, you’ll be well prepared to proceed with confidence in your compliance journey with PCI DSS v4.0.1. 

What is the Difference in Approaches in PCI DSS v4.0.1?

 

The difference between the defined approach, which is the standard or traditional assessment approach, and the customized approach is as follows:  

Defined approach:

  • Follows the control processes for the requirements already laid out in PCI DSS v4.0.1. Most organizations will probably follow the defined approach.  

Customized approach:

  • Follows a custom control process, or controls adopted by the assessed entity, that may be somewhat different from the defined approach but still meet the stated security objective of the requirement.  

Alternatively, the PCI DSS v4.0.1 allows for a hybrid approach, where most requirements are met following the defined approach and one or more requirements are met following the customized approach. 

3 Key Considerations Before Using PCI DSS v4.0.1's Customized Approach

  1. Understand the requirements 
  2. Determine if you're already following the defined approach for each requirement applicable to your cardholder data environment (CDE)  
  3. Where you're not already following the defined approach, consider whether the control processes you have implemented or plan to implement are adequate to meet the stated security objective of the requirement 

If you need to consider the customized approach for your environment, prepare proposed controls designed to meet the security objective of the requirement and share them with your assessor. This way, you can collect feedback on whether the controls are acceptable to meet the stated security objective of the related requirement. 

Qualified security assessors (QSAs) are required to be trained in the customized approach in order to be qualified to review and determine the acceptability of custom controls designed by assessed entities. QSAs trained in the customized approach are an excellent resource for working through the process of setting in place controls designed to meet the customized approach. 

Tips For Getting Started with PCI DSS v4.0.1's Customized Approach 

As you move forward with potentially taking the customized approach to controls, here are some tidbits for considerations and best practices you should adopt: 

  • A business justification is NOT needed to use the customized approach for any requirement. 
  • Even within a single requirement, the defined approach and customized approach can be split in meeting different aspects of the requirement, as long as the security objective of the requirement is met. 
  • There are some requirements that explicitly cannot be met using the customized approach. These requirements are outlined in PCI DSS v4.0.1. 
  • Compliance with other frameworks does not substitute meeting a PCI requirement. Each requirement met using the customized approach must be validated individually by the assessor. 
  • The same control processes could potentially be used to meet the security objectives of multiple requirements, yet still, each requirement using the customized approach must be validated individually by the assessor. 
  • Even though it's possible to meet many requirements using the customized approach, the complexity of your assessment increases each time. As a matter of simplifying your assessment, try to minimize the number of requirements that are met using the customized approach. 
  • This cannot be emphasized enough: involve your assessor in obtaining their feedback on custom controls you plan to use to meet PCI DSS v.4.0.1 requirements. The proper time to share the custom controls with your assessor is likely before engaging them to perform your PCI DSS assessment. Your engagement of the assessor is likely to describe the expected level of effort involved in assessing your custom controls. Avoid surprising your assessor with custom controls after the assessment has started. 
  • Remember that custom controls may need to show operating effectiveness over a period of time, such as daily, weekly, monthly, or quarterly activities. Consider how you'll show that your custom controls are operating effectively over a period of time, through comprehensive and thorough documentation.   
  • Evidence to show custom controls are in place likely include policies, procedures, system configuration settings, reports, logs, screenshots, and more. Ensure that your policies, procedures, and other official documentation are aligned with and support your custom controls. 
  • Customized implementations will require a risk analysis that is shared with your assessor following the PCI DSS v4.0.1 risk analysis template. 
  • Customized implementations are not supported when performing a self-assessment or using the self-assessment questionnaire (SAQ). 

Common Pitfalls When Implementing the Customized Approach 

The customized approach offers flexibility but comes with several common pitfalls that organizations should be aware of. Here are a few to consider, and our recommendations for how your organization can avoid them: 

Misunderstanding the Security Objectives 

Many organizations fail when attempting to implement the customized approach because they focus on creating alternative controls without fully understanding the security objectives they must satisfy. Each PCI DSS requirement has specific security objectives listed within the standard document. 

Recommendation: To minimize the risk of misunderstanding security objectives using a customized approach, create a detailed mapping document that explicitly links each custom control to the specific security objectives identified in the requirement and have multiple stakeholders review this mapping for completeness. 

Insufficient Evidence of Effectiveness 

Organizations often implement reasonable alternative controls but fail to demonstrate their effectiveness over time. Remember that custom controls require robust evidence, not just of implementation but also of operational effectiveness. 

Recommendation: Establishing a monitoring calendar that specifies what evidence will be collected at what intervals of time (such as daily, weekly, monthly, quarterly) for each custom control can help assure you have enough of the right kinds of evidence. Include screenshots, logs, reports, and system-generated evidence whenever possible. 

Scope Creep and Complexity 

Each requirement addressed through the customized approach adds significant complexity to your assessment. Organizations often start with one requirement and gradually expand to many, creating an unmanageable assessment process. 

Recommendation: Inasmuch as possible, set a firm limit on the number of requirements that will use the customized approach. Prioritize those where the business value clearly outweighs the additional assessment complexity. 

Inadequate Risk Analysis 

Many organizations complete the required risk analysis template superficially, without truly analyzing the residual risks associated with their custom approach. This can lead to a QSA rejecting the custom control. 

Recommendation: Conduct thorough risk analysis workshops involving security, business, and compliance stakeholders. Document mitigating controls comprehensively and be honest about residual risks. 

Late QSA Engagement 

One of the most common and damaging mistakes is waiting until the assessment begins to discuss custom controls with the QSA, creating potential for significant delays and rework. 

Recommendation: Engage your QSA during the design phase of custom controls, minimally 3-6 months before assessment. Consider a pre-assessment consultation specifically focused on reviewing proposed custom controls. 

Balancing Flexibility with Responsibility 

The customized approach represents a significant evolution in payment card security practicality, offering organizations new flexibility to align security controls with their unique business environments while still meeting rigorous security objectives. However, this flexibility comes with increased responsibility for thorough additional documentation, risk analysis, and proactive QSA engagement.  

Organizations who thoughtfully implement the customized approach by selecting appropriate requirements for customization, creating appropriate documentation, and establishing robust evidence collection processes can achieve compliance more efficiently and potentially reduce operational burdens. Remember that success with the customized approach isn't about avoiding standard controls, but rather about implementing equally effective security measures that better integrate with your existing architecture and operations, ultimately strengthening your overall security posture. 

If you’re ready to proceed with your PCI DSS Validation, or have more questions about the requirements or process, Schellman can help. Contact us today and we’ll get back to you shortly. In the meantime, discover other helpful insights in these additional PCI DSS resources:  

About Ken Van Allen

Ken Van Allen is a Technical Lead at Schellman. A collaborative leader with 26 years of experience in elevating the trust and confidence of clients in their technology solutions, Ken previously served insurance, banking, and payment network clients in North and South America and advised them regarding rebuilding their Information Security programs. As a trusted advisor serving alongside business and technology executives from middle management to boards of directors, Ken is passionate about developing people, processes, and programs that secure the confidentiality, integrity, and availability of mission-critical information. At Schellman, he is focused on serving PCI clients.