As a Principal Information Security Consultant, Greg delivers large and complex security, risk, and compliance initiatives across numerous industries and verticals. He has thirteen years of security consulting experience supporting a large and diverse global client base, including eleven years as a PCI QSA. Greg is a trusted cybersecurity advisor and technology subject matter expert. He has twenty one years of experience in multiple security roles, from hands-on technical to senior management. Greg has a proven ability to bridge the gaps between business requirements and enterprise risk, security, and privacy initiatives.
The recent release of PCI DSS v4.0 may give the mistaken impression that there is a lot of time for organizations to prepare for any required changes to people, processes, and technologies. While this is true of many requirements, the v4.0 release will require many entities to develop creative solutions to compliance challenges, and many of these will take significant time to address. This is especially true when an entity can’t meet the Defined Approach or otherwise remediate the issue with a Compensating Control Worksheet (CCW). This is where the Customized Approach comes in.
On March 31st, 2022 PCI DSS v4.0 was released. Today’s post is part of series of pieces we are publishing that explore the changes to the PCI standard and provide insight into what the changes will mean for your organization. All of our posts can be found here.
The recent release of PCI DSS v4.0 may give the mistaken impression that there is a lot of time for organizations to prepare for any required changes to people, processes, and technologies.
While this is true of many requirements, the v4.0 release will require many entities to develop creative solutions to compliance challenges, and many of these will take significant time to address. This is especially true when an entity can’t meet the Defined Approach or otherwise remediate the issue with a Compensating Control Worksheet (CCW). This is where the Customized Approach comes in.
In a previous blog, I introduced the Customized Approach as one of the most noteworthy changes introduced in PCI DSS v4.0; “Customized Approach” occurs 395 times in PCI DSS v4.0! It’s critically important to understand the key elements that comprise a validated customized solution. In this post, I’d like to take a closer look at the details around using the Customized Approach.
Where do you start with the Customized Approach?
When an organization can’t meet a defined PCI DSS v4.0 requirement, the Customized Approach can be used to create unique risk-based solutions that don’t strictly follow the defined requirement, and can’t be met with a CCW.
Appendix D of v4.0 provides an overview of the Customized Approach; it indicates that the Customized Approach “…is intended for entities that decide to meet a PCI DSS requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach allows an entity to take a strategic approach to meeting a requirement’s Customized Approach Objective, so it can determine and design the security controls needed to meet the objective in a manner unique for that
For example, if an entity can’t legitimately meet a vulnerability scanning requirement due to a business or technical constraint, a Compensating Control Worksheet (CCW) may be used. If an entity is going to discover vulnerabilities by means other than scanning, which falls outside the scope of a CCW, then a Customized Approach Objective would need to be created.
Understanding What is Required
To initiate and execute a Customized Approach solution, entities must follow a set of predefined steps, including completing detailed risk assessments.
It will come as no surprise to hear that the risk assessments and associated documentation for the Customized Approach are extensive and will put a significant burden on your PCI compliance and risk management programs.
While the Customized Approach provides flexibility for some organizations, it’s clear that it must be used thoughtfully and as sparingly as possible. Although it affords greater opportunities for creative compliance solutions, the Customized Approach must still meet and exceed the rigor and intent of the Defined control, which is no small feat.
Lastly, an important note in Appendix D states: “The use of the customized approach may be regulated by organizations that manage compliance programs (for example, payment brands and acquirers). Therefore, questions about the use of a customized approach must be referred to those organizations.”
Support Available in DSS v4.0: Documentation
Appendix E1 of v4.0 includes Sample Templates to Support Customized Approach. While these are not mandatory, these templates are helpful examples of what is expected.
At a minimum, the Customized Approach requires the following types of information:
- What is implemented?
- How were the controls determined to meet PCI requirements?
- How does the Customized control provide at least the equivalent level of protection as the Defined requirement?
- How does the entity provide on-going assurance of the effectiveness of the control?
Much like Appending E1, Appendix E2 contains a Sample Targeted Risk Analysis Template. Using the template is not required, but the Risk Assessment must contain, at a minimum, the information from the risk analysis template.
Use of Customized Approach
As part of the v4.0 release, there are new requirements (12.5.2) that require Merchants to document and confirm PCI DSS scope at least every 12 months and upon significant change to the in-scope environment. Service Providers must perform a scoping exercise every six months and after significant change to the in-scope environment. Using the information from the scoping review, and working closely with the QSA, organizations will be able to ensure the defined scope of an approved Customized Validation.
It’s important to note that entities that opt to complete a “Self-Assessment Questionnaire” are not eligible to use a customized approach. Alternatively, they may elect to have a QSA or ISA perform their assessment and document compliance in a ROC Template.
Documenting Customized Approach Validations and Risk Assessments
The guidance in Appendix E1 is stated plainly: “…it is required that the entity’s customized approach documentation includes all information defined in this template, and that the entity provides this exact information to its assessor.”
This is a really big deal. Exacting documentation requirements can be quite difficult for many PCI programs to design and support, especially as related to risk analysis and reporting. Developing, documenting, and validating a DSS v4.0 Customized Approach Objective will represent significant effort for both the PCI Compliance and Risk Management programs. As stated in Appendices E1 and E2 you’re required to:
- Document and maintain evidence about each customized control, including all information specified in the Controls Matrix Template in Appendix E1.
- Perform and document a targeted risk analysis (PCI DSS Requirement 12.3.2) for each customized control, including all information specified in the Targeted Risk Analysis Template in Appendix E2.
- Perform testing of each customized control to prove effectiveness, and document testing performed, methods used, what was tested, when testing was performed, and results of testing in the controls matrix.
- Monitor and maintain evidence about the effectiveness of each customized control.
- Provide completed controls matrix(es), targeted risk analysis, testing evidence, and evidence of customized control effectiveness to its assessor.
Like a fine-tuned engine, maintaining the documentation year-round is key. Failure to keep the relevant documents up-to-date will cause challenges during the annual PCI assessment.
Five Key Considerations: Customized Approach
1. It’s important to consider the overall PCI ecosystem to ensure that a Customized Approach is scalable, repeatable, and manageable within the overall context of the PCI program scope.
2. Make sure to include the timing for budget, design, testing, implementation, and assessments of a Customized Approach and Validation.
- For example: There are many moving pieces with a derived Customized Approach Validation, and, for the most part, they require more diligence and effort than PCI DSS v3.2.1 Compensating Control Worksheets (CCWs). Appendix E of v4.0, the PCI Council emphasizes that “The controls matrix does not replace the need for the assessor to independently develop appropriate testing procedures for validating the implemented controls.”
3. Be cautious when jumping back and forth between the Defined Approach, CCWs, and the Customized Approach. This can lead to miles of rough road if the details aren’t managed correctly. Even the process of simply evaluating existing CCWs to determine if/how they can convert to Customized Validations is very time consuming. While this is a good place to start, be sure to budget your time accordingly.
4. For every Customized Approach, be prepared to revalidate the solution every year, or after a Significant Change to a control covered by the customized approach.
5. As mentioned above, if you are going to explore using the Custom Approach, you need to remember that SAQ-eligible organizations are not eligible if they have completed a self-assessment Questionnaire.
Why use Online for your PCI DSS v4.0 Customized Approach implementation strategies and derived validations?
Online takes a risk-based and consultative approach to your PCI program and assessment needs. Online collaborates with you on developing, implementing, and validating Customized Approach solutions. Online's expert collective of PCI professionals can address all your risk, security, and privacy needs related to the transition to PCI DSS v4.0, and specifically help you with the creation and validation of Customized Approach solutions. We’ll provide the creative solutions to your PCI program needs, and compliance will naturally come along for the ride!
Online is ready to assist you in developing your PCI program, helping unpack what the v4.0 changes will mean for your organization, and then designing a compliance roadmap to get you there. For additional insight and guidance from Online’s QSA team, explore our digital PCI DSS v4.0 Resource Center, where we have identified and dissected many of the significant changes and new requirements in the latest release of the PCI Standard.