Mythbusting the PCI DSS 4.0 Customized Approach

The Customized Approach means you can avoid some controls

PCI DSS 4.0 offers two main approaches to compliance, introducing a new Customized Approach option for organizations:

1. Defined Approach, which follows the familiar method for implementing and testing controls using the Requirements and Testing Procedures as they are written in the Standard.
2. Customized Approach, which allows the development of bespoke controls to meet the Customized Approach Objective described in the Standard.

The Customized Approach has been perceived as a risk-based approach permitting organisations to remove controls from the scope of assessment by risk acceptance. Organizations are required to identify any controls they wish to meet using this method and discuss these with their QSA in preparation for assessment. Organizations must meet all controls of PCI DSS 4.0 that apply, using either the Defined Approach or a combination of defined and custom controls. As such, PCI DSS 4.0 doesn’t release organizations from their compliance obligations against all applicable controls. 

You can use the Customized Approach to meet non-compliant controls

The Customized Approach can’t be used during an assessment to address a non-compliant finding. This method requires collaboration between organizations and their QSA to determine the appropriateness of the custom control, and the testing procedures that will be used to validate the control at assessment. As the Standard explains: ‘The controls implemented and validated using the customized approach are expected to meet or exceed the security provided by the requirement in the defined approach. The level of documentation and effort required to validate customized implementations will also be greater than for the defined approach.’

All organizations can use the Customized Approach

All organisations that undertake a QSA-led assessment resulting in a Report on Compliance (ROC) are – in theory – able to follow a Customized Approach to PCI DSS 4.0. The Standard suggests that custom controls are more suitable for organisations with a mature risk-management approach to security, supported by a dedicated risk management function. For less mature organizations, those without internal risk management expertise, and those new to PCI DSS the Defined Approach is advised. Organizations that report compliance using self-assessment aren’t able to use custom controls and must meet the defined control requirements of the Standard.

You can use compensating controls with the Customized Approach

Compensating controls have been used in previous versions of the Standard to support alternative controls to satisfy the intent of a requirement where organisations had a legitimate reason to do so. During the development of PCI DSS 4.0, the PCI Security Standards Council (PCI SSC) considered removing compensating controls from the Standard. With the introduction of the Customized Approach, there was a view that custom controls could serve the same purpose. Despite this, PCI DSS 4.0 retains compensating controls for organisations using the Defined Approach for compliance and assessment.

Organizations using the Customized Approach won’t be able to use compensating controls – even for controls considered by them and their QSA for the Defined Approach. Where defined controls can’t be met and an organization is using the Customized Approach for other requirements, they will need to develop and implement a custom control in collaboration with their QSA who will define testing procedures for assessment.