The All-New Customized Approach to PCI DSS: Understanding the Key Tenets, Applicability, and Requirements
The newly released PCI DSS 4.0 has introduced a series of transformational changes to its requirements, testing methods, and validation processes. The newly incorporated customized approach is one of the most futuristic changes in the standards, offering flexibility for organizations that decide to use different methods to achieve security objectives. This flexibility has been integrated into the frequency of certain requirements through the targeted risk analysis.
The customized approach provides organizations with an option to design innovative controls that address evolving threats and technologies and support meeting the security objectives of PCI DSS requirements. With two approaches (stated below) included in PCI DSS 4.0, organizations can choose either or both by determining what best suits their security implementation and validation processes.
Defined Approach: The defined approach follows the traditional methods to implement the requirements and testing procedures as stated in the standards. It is suitable for those organizations that either have established security controls in place, need more direction to meet security objectives, or are new to information security or PCI DSS.
Customized Approach: Focusing on the intent of each requirement, the customized approach allows entities to design and implement controls unique to their organization, that meet the requirements’ stated ‘customized approach objective.’ Organizations that opt for the customized approach need to perform a risk analysis, address the risks, and define and test their own controls to verify that they meet the objectives. This approach is best suitable for risk-mature entities with a dedicated risk management department or organization-wide risk management plan.
However, not all requirements have a stated customized approach objective, and organizations can use both the defined and customized approach for their various system components and within different environments. This article focuses on key aspects that organizations need to keep in mind while using the new customized approach to implement and validate PCI DSS requirements.
Compensating Controls vs. Customized Approach
It is important to note that the inclusion of the customized approach does not replace the existing compensatory controls. These controls are still an option for entities that cannot meet a stated requirement due to some technical or business constraints. Organizations can then implement alternative or compensatory controls to mitigate the risk associated with the same requirement. In contrast, a customized approach is appropriate for those organizations that have alternative and innovative strategies to meet the stated security objective of a requirement in a unique way.
As the requirements in the latest version of PCI DSS are outcome-based, organizations choosing a customized approach will not require a business or technical justification to define their own controls (mandatory for compensating controls). However, organizations deciding to implement compensatory controls as part of the defined approach must satisfy the stated criteria and follow the guidelines for such controls.
Validating the Customized Approach – Role of a QSA
While in the traditional approach, the assessor follows the defined testing procedures to verify that the requirements have been met, there are no testing procedures listed for customized validation as every approach is unique. The Qualified Security Assessor (QSA) will need to evaluate the information provided by the entity and develop testing procedures appropriate for the implementation of the organization-specific customized approach. After performing those tests, the assessor can then validate if the designed controls meet the security objectives.
If an organization considers opting for the customized approach to meet certain requirements, they must strategize it in consensus with a QSA to confirm that their approach is acceptable and meets the criteria listed in the standards. Although the organizations can take advice from a QSA while drafting controls for the customized approach, it is important to note that the same QSA cannot attest the organization for PCI DSS.
Getting Started with Customized Approach
While the customized approach drives the long-desired flexibility in the PCI standards, entities will require a mature appraisal of the risk within their environments if they decide to deviate from the defined approach. Organizations need to ensure that they understand the novel approach before moving forward to determine their own controls. Here are a few tips to keep in mind before getting started:
- Entities can use both the approaches within their environment such that the defined approach is used to meet some requirements and the customized approach to meet others. This also means that they can use different approaches to meet the same requirement in different environments or for different system components. Similarly, the PCI DSS assessment can also include both types of testing procedures.
- Entities can also identify if some elements of a requirement cannot be met with the defined approach. Such elements must be covered with a customized approach by implementing a separate set of controls to meet the objective.
- Organizations can use the same control processes to meet the requirements with a customized approach as long as their security objectives are met. However, each requirement must be validated individually by the assessor.
- Entities that decide to follow a defined approach can also refer to the ‘customized approach objective’ for guidance, but it does not replace or supersede the actual stated requirement.
- The level of documentation and effort required for a customized approach will be greater than the defined approach as the controls implemented are expected to meet or exceed the security provided by the stated requirement.
- Some requirements explicitly do not support the customized approach. For such requirements, a defined approach is the only option.
- A detailed targeted risk analysis must be provided for each requirement by entities using the customized approach.
- Customized approach is not supported for entities performing a self-assessment or completing a Self-Assessment Questionnaire (SAQ).
For a more detailed insight on the key changes made to the standards and how your organization can smoothly transition to PCI DSS 4.0, get in touch with our compliance experts or register for our upcoming webinar on PCI DSS 4.0 – A Transformational and Technology Driven Future for Payments.