As a Principal Information Security Consultant, Greg delivers large and complex security, risk, and compliance initiatives across numerous industries and verticals. He has thirteen years of security consulting experience supporting a large and diverse global client base, including eleven years as a PCI QSA. Greg is a trusted cybersecurity advisor and technology subject matter expert. He has twenty one years of experience in multiple security roles, from hands-on technical to senior management. Greg has a proven ability to bridge the gaps between business requirements and enterprise risk, security, and privacy initiatives.
I’ve recently spent some time reviewing the PCI DSS v4.0’s updates on the Customized Approach and want to go on record as stating that I believe this is one of the most significant changes in the new Standard. Appendix D of v4.0 states that the Customized Approach “…is intended for entities that decide to meet a PCI DSS requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement.” This change provides entities with an alternative way to satisfy requirements that haven’t been available before.
On March 31st, 2022 PCI DSS v4.0 was released. Today’s post is part of series of pieces we are publishing that explore the changes to the PCI standard and provide insight into what the changes will mean for your organization. All of our posts can be found here.
I’ve recently spent some time reviewing the PCI DSS v4.0’s updates on the Customized Approach and want to go on record as stating that I believe this is one of the most significant changes in the new Standard.
Appendix D of v4.0 states that the Customized Approach “…is intended for entities that decide to meet a PCI DSS requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement.”
This change provides entities with an alternative way to satisfy requirements that haven’t been available before.
If you are looking for details around WHAT the Customized Approach is all about, check out the first blog in this series [here]; or if you are looking for guidance on HOW to use it, visit the second blog [here].
In this post, I want to specifically focus on Targeted Risk Analysis as part of a Customized Approach and look at what you need to know to be successful.
Bringing Risk Management and PCI Program Teams Together
We know that compliance requires a rigorous, integrated approach between the PCI Program and Enterprise Risk Management. Failure to bring those teams together ends up in chaos like what you’d see at NASCAR if the pit crew team didn’t understand their individual roles and how they must work together. Each “function” is required and plays an important role. From a PCI compliance perspective, it’s critical to identify the right internal and external resources who can work together to bridge the gaps between PCI compliance requirements and existing risk management strategies and tolerances.
When considering using a Customized Approach solution, companies will need to ensure that Enterprise Risk Management team can support the intent and rigor of this DSS v4.0 control.
As described in Appendix D: “Customized Approach, an entity using the customized approach must provide a detailed targeted risk analysis for each requirement the entity is meeting with the customized approach.”
Even if your risk management program is not perfect, it still must do an acceptable job of identifying risks and measuring the effectiveness of risk mitigation efforts for v4.0 Customized Approach solutions. Candidly, this is a really big deal! Not only must you develop, test, deploy, and maintain the custom solution, but the solution must be fully documented, risk reviewed, approved by management and the QSA, and regularly tested, including after any Significant Change. Your formal risk management program is integral in making that happen and maintaining it over the long term.
What is Required?
Appendix E2 of DSS v4.0 includes a Sample Targeted Risk Analysis Template. As stated in the DSS, “While it is not required that an entity follow this specific format, its customized approach documentation must include all the information defined in this template.”
This information includes requirements to:
- Identify the requirement
- Describe the proposed solution
- Analyze any changes to the LIKELIHOOD of the mischief occurring, leading to a breach in confidentiality of cardholder data
- Analyze any changes to the IMPACT of unauthorized access to account data
- Risk approval and review
As emphasized in DSS v4.0, LIKELIHOOD and IMPACT are key risk concepts throughout this Standard. This is where the rigor and alignment of the PCI program and risk management matter most. It’s critical to thoroughly work through responses to these 5 information requirements, and validate the sufficiency of the controls. Most organizations don’t analyze PCI risks in this context so they will have to adapt and think differently.
Completing a Targeted Risk Analysis
In completing a targeted risk analysis for a customized approach, the DSS highlights that:
- The asset being protected is the cardholder data that is stored, processed, or transmitted by the entity.
- The threat actor is highly motivated and capable. The motivation and capability of threat actors tend to increase in relation to the volume of cardholder data that a successful attack will realize.
- The likelihood that an entity will be targeted by threat actors increases as the entity stores, processes, or transmits greater volumes of cardholder data.
- The mischief is directly related to the objective.
The assessor uses the information from the targeted risk analysis to plan and prepare for the assessment. This is going to be a heavy lift for most organizations because it includes the following tasks, as outlined in DSS v4.0 Appendix D:
Document and maintain evidence about each customized control, including all information specified in the Controls Matrix Template in Appendix E1 and E2.
- Perform and document a targeted risk analysis (PCI DSS Requirement 12.3.2) for each customized control.
- Perform testing of each customized control to prove effectiveness, document testing performed, methods used, what was tested, when testing was performed, and results of testing in the controls matrix.
- Monitor and maintain evidence about the effectiveness of each customized control.
- Provide completed controls matrix(es), targeted risk analysis, testing evidence, and evidence of customized control effectiveness to its assessor.
As you can tell by now, you’re going to need a large forklift to handle the heavy lifting required to implement a Customized Approach and complete a Targeted Risk Analysis. If you need help with any aspect of the Customized Approach, Online will collaborate with you on developing, implementing, and validating Customized Approach solutions.
Online is ready to assist you in developing your PCI program, helping unpack what the v4.0 changes will mean for your organization, and then designing a compliance roadmap to get you there. For additional insight and guidance from Online’s QSA team, explore our digital PCI DSS v4.0 Resource Center, where we have identified and dissected many of the significant changes and new requirements in the latest release of the PCI Standard.