On March 31st, 2022 PCI DSS v4.0 was released. Today’s post is part of series of pieces we are publishing that explore the changes to the PCI standard and provide insight into what the changes will mean for your organization. All of our posts can be found here.
Have you ever been off-roading? Full-on four-wheel-drive, low gear, creeping over rocks, or blasting through snowbanks? It’s quite an exhilarating experience.
I liken the updates made to the Customized Approach in the recently released PCI DSS v4.0 Standard to such an adventure; an off-road jaunt filled with uncertain terrain and numerous potholes to navigate.
The Customized Approach is a brand-new concept in the DSS. As stated in v4.0: “This approach is intended for entities that decide to meet a PCI DSS requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement.
The Customized Approach allows an entity to take a strategic approach to meet a requirement’s Customized Approach Objective, so it can determine and design the security controls needed to meet the objective in a manner unique for that organization.”
The Customized Approach is by far one of the biggest [most impactful], changes introduced in PCI DSS v4.0; “Customized Approach” occurs 395 times in PCI DSS v4.0! It’s critically important to understand the key elements that comprise a validated customized solution to PCI DSS v4.0 compliance – what they are, and what they are not.
The Customized Approach IS:
The Customized Approach IS NOT:
Like any journey, preparation is key. To help deal with emergencies and detours, long-haul road trips include items like a spare tire, blankets, and water.
In the process of changing to v4.0 of the PCI DSS, there may be circumstances where you can’t meet a specific requirement, and a traditional compensating control isn’t enough. To achieve compliance, a Customized Approach may be used in the event the technology surpasses the intent and rigor of the Defined control.
“But wait,” you say, “QSAs are known for going down rabbit holes chasing assessment minutia. How will we manage the PCI program with a bunch of customized solutions?"
Fair question. The answer isn’t always to use a customized approach; I’d like to suggest that it starts by planning out your route with an advisor you trust and using customized assessment solutions when they make sense. An advisor should be able to not only help you achieve compliance while setting you up to manage customized approaches successfully during their existence within the environment.
Online takes a risk-based and consultative approach to your PCI program and assessment needs. Online collaborates with you on developing, implementing, and validating Customized Approach solutions. Online's expert collective of PCI professionals can address all your risk, security, and privacy needs related to the transition to PCI DSS v4.0, and specifically help you with the creation and validation of Customized Approach solutions. We’ll provide the creative solutions to your PCI program needs, and compliance will naturally come along for the ride!
Online is ready to assist you in developing your PCI program, helping unpack what the v4.0 changes will mean for your organization, and then designing a compliance roadmap to get you there. For additional insight and guidance from Online’s QSA team, explore our digital PCI DSS v4.0 Resource Center, where we have identified and dissected many of the significant changes and new requirements in the latest release of the PCI Standard.