In PCI DSS v4.0, custom controls are allowed to be implemented for most requirements to the extent that customized controls are needed to meet PCI DSS requirements.
The customized approach is also intended to provide a framework to allow the design of controls that address evolving threats, evolving technologies, and allow for more flexibility and support to meet the security objectives of the PCI DSS. The customized approach allows assessed entities to show they are meeting the stated security objectives of related PCI DSS requirements thus demonstrating compliance with the PCI DSS.
So, where to start? When should a customized approach be used?