866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Preparing for the PCI DSS Customized Approach Blog Feature
ERIC SAMPSON

By: ERIC SAMPSON

Print/Save as PDF

Preparing for the PCI DSS Customized Approach

Payment Card Assessments

Published: Jan 19, 2021

Last Updated: Nov 6, 2023

 

In PCI DSS v4.0, custom controls are allowed to be implemented for most requirements to the extent that customized controls are needed to meet PCI DSS requirements.

The customized approach is also intended to provide a framework to allow the design of controls that address evolving threats, evolving technologies, and allow for more flexibility and support to meet the security objectives of the PCI DSS. The customized approach allows assessed entities to show they are meeting the stated security objectives of related PCI DSS requirements thus demonstrating compliance with the PCI DSS.

So, where to start?  When should a customized approach be used?

What is the Difference in Approaches to PCI DSS v4.0?

 

Let's understand the difference between the defined approach, which is the standard or traditional assessment approach, and the customized approach. 

  • The defined approach means following the control processes for the requirements already laid out in PCI DSS v4.0.  Most organizations will probably follow the defined approach. 
  • The customized approach means following a custom control process, or controls adopted by the assessed entity, that may be somewhat different from the defined approach but still meet the stated security objective of the requirement. 

PCI DSS v4.0 allows for a hybrid approach where most requirements are met following the defined approach and one or more requirements are met following the customized approach.

3 Things to Consider Before Using PCI DSS v4.0's Customized Approach

  1.  First, understand the requirements
  2. Second, determine if you're already following the defined approach for each requirement applicable to your cardholder data environment (CDE). 
  3. Third, where you're not already following the defined approach, consider whether the control processes you have implemented or plan to implement are adequate to meet the stated security objective of the requirement. 

If you need to consider the customized approach for your environment, prepare proposed controls designed to meet the security objective of the requirement and share them with you assessor to get feedback on whether the controls are acceptable to meet the stated security objective of the related requirement.

Qualified security assessors (QSAs) are required to be trained in the customized approach in order to be qualified to review and determine the acceptability of custom controls designed by assessed entities.  QSAs trained in the customized approach are an excellent resource for working through the process of setting in place controls designed to meet the customized approach.

Tips For Getting Started With PCI DSS v4.0's Customized Approach

As you do move forward with potentially taking the customized approach to controls, here are some tidbits to keep in mind:

  • A business justification is NOT required to use the customized approach for any requirement.

  • Even within a single requirement, the defined approach and customized approach can be split in meeting different aspects of the requirement as long as the security objective of the requirement is met.

  • There are some requirements that explicitly cannot be met using the customized approach.  These requirements are outlined in PCI DSS v4.0.

  • Compliance with other frameworks does not substitute for meeting a PCI requirement.  Each requirement met using the customized approach must be validated individually by the assessor.

  • The same control processes could potentially be used to meet the security objectives of multiple requirements.  But still, each requirement using the customized approach must be validated individually by the assessor.

  • Even though it's possible to meet many requirements using the customized approach, the complexity of your assessment increases  each time you do. As a matter of simplifying your assessment, try to minimize the number of requirements that are met using the customized approach.

  • This cannot be emphasized enough: involve your assessor in obtaining their feedback on custom controls you plan to use to meet PCI DSS v4.0 requirements.  The proper time to share the custom controls with your assessor is likely before engaging them to perform your PCI DSS v4.0 assessment.  Your engagement of the assessor is likely to describe the expected level of effort involved in assessing your custom controls.  Avoid surprising your assessor with custom controls after the assessment has started.

  • Remember that custom controls may need to show operating effectiveness over a period of time, such as daily, weekly, monthly, or quarterly activities.  Consider how you'll show that your custom controls are operating effectively over a period of time.  Documentation, documentation, documentation!

  • Evidence to show custom controls are in place likely include policies, procedures, system configuration settings, reports, logs, screenshots, etc.  Ensure that your policies, procedures, and other documentation are aligned with and support your custom controls.

  • Customized implementations will require a risk analysis that is shared with your assessor following the PCI DSS v4.0 risk analysis template.

  • Customized implementations are not supported when performing a self-assessment or using the self-assessment questionnaire (SAQ).

The customized approach provides flexibility that has been long desired in past PCI DSS versions, but it also also adds complexity to your assessment. To ensure that you understand as much as possible regarding the new standard, check out our content that deconstructs several different aspects:

About ERIC SAMPSON

Eric Sampson is a Director at Schellman. Eric began his professional career in 2005 while working as an IT auditor in Philadelphia. Eric executed several critical projects for clients in the areas of information security and Service Organization Controls (SOC) reporting projects. To date, Eric has provided services to clients in the healthcare, information technology, and financial services industries, among others.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.