There are three critical steps to taking advantage of the PCI DSS 4.0 Customized Approach:
- Identifying which requirements and controls you’ll use alternative methods to achieve
- Implementing cyberdefense mechanisms to safeguard the cardholder data environment
- Working with a PCI DSS assessor to report on and validate your controls for compliance
Step #1: Determine Applicable PCI DSS Requirements
Complying with the Payment Card Industry (PCI) Data Security Standard (DSS) always means installing cybersecurity controls up to the specifications of its requirements and assessing them.
However, what that implementation and assessment look like in practice differ between the Defined Approach and the Customized Approach. In the former, organizations have specific Defined Approach Requirements and Defined Approach testing Procedures for measurement.
The Defined Approach is what every organization strives for in compliance by default. But if an organization has protections in place that can meet the underlying objectives of the control in a different way, ideally a more secure or more efficient way, they might opt for a custom control.
The Customized Approach Objectives tend to be vague in nature, with less explicit guidance on how organizations should meet them. That openness leads to greater flexibility in terms of doing whatever is best to protect cardholder data (CHD). But it can also create challenges in terms of knowing what exactly is needed (and how to measure it) to satisfy compliance obligations.
That’s why the first step toward Customized Approach validation is scoping, figuring out which (if any) controls your organization would like to use the Customized Approach for—and why/how.
The Customized Approach is explicitly not designed for organizations that cannot meet a given DSS requirement. If that’s your situation, you should consider compensating controls instead.
Step #2: Implement and Maintain Customized Controls
Next, you’ll need to install controls that meet the Customized Approach Objectives. This will differ significantly from the processes for meeting the Defined Approach Requirements for the same controls, as you’ll need to come up with your own policies and mechanisms whole-cloth.
For example, consider the Defined Approach Requirements for the first sub-requirement within Section 5.2, which ensures that malicious software is prevented, detected, and/or addressed:
- 5.2.1 Defined Approach Requirements – At least one anti-malware solution is deployed across all system components, except those not at risk from malware.
- 5.2.1 Defined Approach Testing Procedures –
- 5.2.1a: All systems components are examined to verify that at least one anti-malware solution is present, unless they’re confirmed not at risk.
- 5.2.1b: Evaluations determining that system components are not at risk are examined periodically to verify no appreciable threats from malware exist.
And compare these with the Customized Approach for the same sub-requirement:
- 5.2.1 Customized Approach Objective – At least one automated mechanism is present across all systems to prevent them from becoming a malware attack vector.
Unlike the Defined approach, there aren’t exceptions, and the solution needs to be automated.
Keep in mind that you need to install and then account for long-term maintenance and efficacy of all controls you implement, whether through the Defined Approach or Customized Approach.
Note: Despite the vagueness inherent to this and almost all Customized Approach Objectives, the onus for describing and documenting the practices used falls squarely on the assessed entity. You are responsible for implementing the control and conducting preliminary assessments, including risk analysis, and providing your findings to your qualified assessor.
Step #3: Assess and Report on Customized Control Efficacy
Finally, you’ll need to work with an external assessor to validate your compliance when using the Customized Approach. Some organizations at lower annual transaction volumes may qualify to use the Self-Assessment Questionnaire (SAQ) for compliance via the Defined Approach. But if you’re using custom controls for any requirements, you’ll need to contract a Qualified Security Assessor (QSA) to conduct formal assessments and fill out a Report on Compliance (ROC).
Two critical factors to keep in mind in this step are the roles and responsibilities of the assessed entity (you) and the assessor (a third party), along with the potential for conflicts of interest.
With respect to responsibilities, the assessed entity themselves need to work closely with the assessor to document elements of the customized controls. Namely, you’ll need to provide a control matrix and risk analysis—you can use templates for these provided within the DSS.
And, with respect to conflicts of interest, it’s critical that the assessor cannot be involved in the design or implementation of controls in any way. In practice, that means that organizations that provide you advisory during your control installation cannot be involved with your assessments.
Streamline Your Customized or Defined Approach Today
Making use of the Customized Approach for PCI compliance is as simple as scoping out which controls necessitate it, implementing those controls carefully, and then assessing their efficacy through the rigorous ROC format. If your organization is in a position to take advantage of this flexibility, or if you’re unsure whether it is the right move for you, talking with an advisor can help.
RSI Security provides both advisory and assessment services for PCI validation through the Defined or Customized Approach. We’re committed to serving your organization, helping you create greater flexibility in the future through security discipline now.
To get started on your PCI DSS 4.0 Customized Approach implementation, get in touch today!