PCI DSS 4.0 – Customized Approach Explained

Published 7/27/22, 9:00am

You’ve heard about the new Customized Approach in PCI DSS 4.0 that allows assessed entities to meet PCI requirements in an alternative manner. Now, your first thought might be that passing PCI just became easier because if something is missed throughout the year, a customized approach can be used to get around it. Not so fast.

A Customized Approach is meant to fulfill a PCI requirement’s objective in a manner other than as stated within the requirement. Rather than a reaction to a missed control, this is a planned approach.

A Customized Approach cannot be used mid-assessment to correct something that is not compliant. If a non-compliant element needs to be addressed mid-assessment it requires a Compensating Control Worksheet, which can’t be used in conjunction with a customized approach. If a control is missed or can’t be implemented during the assessment, the assessor will work with you to determine what can be done to create compensating controls that will meet the requirement. The Customized Approach only comes in before the assessment begins and can only be used for RoCs (Report of Compliance) and not SAQs (Self Assessment Questionnaires). 

The Customized Approach is quite detailed and will only be used by mature companies with sophisticated, stable controls. Prior to the assessment, the control matrix will need to be completed by the assessed entity. The control matrix describes the aspects of the alternative approach being taken to fulfill the requirement. It is acceptable to have a QSA assist with writing the matrix but it cannot be the same QSA as the one performing the assessment, as this would result in the QSA assessing their own work. The controls matrix is not required in the assessed entity’s documentation. The information contained within the controls matrix can be presented in any format as long as all the information is presented.

Once the matrix or equivalent is complete, documented testing must be performed for each customized control. The documentation will need to contain what testing was performed, methods used, dates, what was tested, when testing was performed, and the results of the test. After the initial testing, it will be necessary to maintain and monitor the customized approach throughout the year.

The Customized Approach also requires that a targeted risk analysis (PCI 12.3.x) be completed. Here the Council has introduced a new term: “mischief.” Mischief is defined by the Council as “an occurrence or event that negatively affects the security posture of the entity.” Examples they provide include the absence of a policy, the failure to conduct a vulnerability scan, etc. The Council has provided a template for targeted risk analysis (TRA). Again the template is not required and the information contained within the template can be presented in any form as long as all information is presented. The TRA must include the mischief that the PCI requirement was intended to prevent and the impact on the environment if the PCI requirement is not met. The TRA goes on to explain the proposed solution and then performs a risk analysis that includes likelihood, reasons the mischief may still occur, impact assessment, and then concludes with risk approval and review.

When the assessment begins, the assessor will need to see completed control matrices (or equivalent), targeted risk analysis for each customized approach, the initial testing that was performed, and evidence of maintaining and monitoring the customized approach since the initial testing.

So after all this, is it really easier to complete a Customized Approach, or just comply with the original DSS requirement? That will be up to the assessed entity to decide.