As a Principal Information Security Consultant, Greg delivers large and complex security, risk, and compliance initiatives across numerous industries and verticals. He has thirteen years of security consulting experience supporting a large and diverse global client base, including eleven years as a PCI QSA. Greg is a trusted cybersecurity advisor and technology subject matter expert. He has twenty one years of experience in multiple security roles, from hands-on technical to senior management. Greg has a proven ability to bridge the gaps between business requirements and enterprise risk, security, and privacy initiatives.
On March 31st, 2022 PCI DSS v4.0 was released. Today’s post is part of series of pieces we are publishing that explore the changes to the PCI standard and provide insight into what the changes will mean for your organization. All of our posts can be found here.
Have you ever been off-roading? Full-on four-wheel-drive, low gear, creeping over rocks, or blasting through snowbanks? It’s quite an exhilarating experience.
I liken the updates made to the Customized Approach in the recently released PCI DSS v4.0 Standard to such an adventure; an off-road jaunt filled with uncertain terrain and numerous potholes to navigate.
The Customized Approach is a brand-new concept in the DSS. As stated in v4.0: “This approach is intended for entities that decide to meet a PCI DSS requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement.
The Customized Approach allows an entity to take a strategic approach to meet a requirement’s Customized Approach Objective, so it can determine and design the security controls needed to meet the objective in a manner unique for that organization.”
The Customized Approach: What It Is and What It Isn’t
The Customized Approach is by far one of the biggest [most impactful], changes introduced in PCI DSS v4.0; “Customized Approach” occurs 395 times in PCI DSS v4.0! It’s critically important to understand the key elements that comprise a validated customized solution to PCI DSS v4.0 compliance – what they are, and what they are not.
The Customized Approach IS:
- Intended for entities as an alternative strategy to satisfy the PCI DSS v4.0 Customized Approach Objective for any remediation that deviates from the Defined requirement.
- Risk-based and assumes that organizations have a mature cross-functional Enterprise Risk Management program. Be assured that if you don’t have an effective risk-assessment process in place, this will impact the effectiveness of the Customized Approach.
- A highly flexible way to select, evaluate, approve, implement, and monitor the effectiveness of a customized solution, and meet the objective, intent, and rigor of the defined control.
- Highly collaborative with the QSA in deriving customized testing procedures to validate compliance.
The Customized Approach IS NOT:
- A traditional PCI DSS Compensating Control Worksheet (CCW).
- A loose way for organizations to avoid the prescriptive controls of the PCI DSS: "We don't have to worry; we can do anything we want with the Customized Approach."
- Easy - in fact, the Customized Approach will require a rigorous and creative process to develop and deploy customized solutions over and above the standard compensating control.
Why It Matters
Like any journey, preparation is key. To help deal with emergencies and detours, long-haul road trips include items like a spare tire, blankets, and water.
In the process of changing to v4.0 of the PCI DSS, there may be circumstances where you can’t meet a specific requirement, and a traditional compensating control isn’t enough. To achieve compliance, a Customized Approach may be used in the event the technology surpasses the intent and rigor of the Defined control.
“But wait,” you say, “QSAs are known for going down rabbit holes chasing assessment minutia. How will we manage the PCI program with a bunch of customized solutions?"
Fair question. The answer isn’t always to use a customized approach; I’d like to suggest that it starts by planning out your route with an advisor you trust and using customized assessment solutions when they make sense. An advisor should be able to not only help you achieve compliance while setting you up to manage customized approaches successfully during their existence within the environment.
Why use Online for your PCI DSS v4.0 Customized Approach implementation strategies and derived validations?
Online takes a risk-based and consultative approach to your PCI program and assessment needs. Online collaborates with you on developing, implementing, and validating Customized Approach solutions. Online's expert collective of PCI professionals can address all your risk, security, and privacy needs related to the transition to PCI DSS v4.0, and specifically help you with the creation and validation of Customized Approach solutions. We’ll provide the creative solutions to your PCI program needs, and compliance will naturally come along for the ride!
Online is ready to assist you in developing your PCI program, helping unpack what the v4.0 changes will mean for your organization, and then designing a compliance roadmap to get you there. For additional insight and guidance from Online’s QSA team, explore our digital PCI DSS v4.0 Resource Center, where we have identified and dissected many of the significant changes and new requirements in the latest release of the PCI Standard.