Understanding the PCI DSS 4.0 Roles and Responsibilities

The PCI DSS 4.0 roles and responsibilities are a critical part of compliance with the new Customized Approach. To use this alternative measure, assessed entities must meet certain implementation responsibilities before assessors generate formal reports to validate compliance.

Is your organization prepared for PCI DSS compliance? Schedule a consultation to find out!

 

Customized Approach Roles and Responsibilities

The fourth version of the Payment Card Industry (PCI) Data Security Standard (DSS), published in 2022, features a new way to validate compliance: the Customized Approach. Using it requires working with a Qualified Security Assessor (QSA), and both the assessor and assessed entity roles have distinct responsibilities associated with them. To understand them, you’ll need:

• A general overview of the Customized Approach
• A breakdown of the assessed entity’s responsibilities
• A breakdown of the assessor’s responsibilities

Working with a PCI DSS advisor or assessor will help you achieve and maintain compliance, whether you are pursuing the Defined Approach, Customized Approach, or a mixture of both.

 

Overview of the Customized Approach

The Customized Approach is a way for organizations to meet the underlying needs of PCI DSS requirements in alternative ways that offer the same if not better security than the measures prescribed in the framework. It is designed for organizations with mature security infrastructure that could meet the requirements as designed but would prefer to use alternate methods.

Each PCI DSS Requirement breaks down into several Sections and sub-requirements. Each of these has Defined Approach Requirements and Defined Approach Testing Procedures that, normally, would be used to validate compliance. But there are also Customized Approach Objectives in each sub-requirement that can be followed in lieu of the Defined Approach.

Critically, the Customized Approach is applied on a case-by-case basis to individual controls. An organization may choose to use it for as many (or few) requirements as they like—or none at all.

But once organizations elect to use the Customized Approach for one control, they lock themselves into the assessed entity role and its responsibilities alongside their assessor.

 

Assess your PCI compliance

 

Responsibilities of the Assessed Entity

In any PCI DSS implementation, the same basic necessities exist. Organizations need to implement a set of controls, then have those controls assessed to validate their compliance. In the Customized Approach, however, the option for self-assessment is off the table. There are increased responsibilities for the assessed entity in anticipation of a more complicated audit.

The criteria that assessed entities must satisfy, per the DSS, include:

• Documenting and maintaining evidence for each customized control
• Performing and documenting a risk analysis for each customized control
• Testing each customized control’s effectiveness and documenting:
  • The circumstances surrounding and methods used in testing
  • The scope of control(s) tested, when, and the results of testing
• Monitoring ongoing efficacy of each customized control and retaining evidence
• Providing control matrix(es), risk analysis, and other evidence to the assessor

It is easy to assume that most documentation and reporting responsibilities fall on the assessor, but these criteria illustrate how the assessed entity role also bears much of that burden. For full PCI compliance, organizations should be ready to implement, maintain, and document controls.

Requirements for the Entity to Implement

The biggest responsibility in the assessed entity role, by far, is implementation. Organizations need to strategize, install, and maintain controls that meet the Defined Approach Requirements and Testing Procedures—or Customized Objectives—for every PCI DSS Requirement.

The 12 PCI DSS Requirements break down into Sections, as follows:

• 1: Install and Maintain Network Security Controls – Five Sections
• 2: Apply Secure Configurations to System Components – Three Sections
• 3: Protect Stored Cardholder Data (CHD) and Account Data – Seven Sections
• 4: Encrypt CHD for Transmission on Open Networks – Two Sections
• 5: Protect Systems from Malicious Software – Four Sections
• 6: Develop and Maintain Secure Systems and Software – Five Sections
• 7: Restrict Access to CHD by Business Need to Know – Three Sections
• 8: Identify Users and Authenticate Access to Systems – Six Sections
• 9: Restrict Physical Access to Systems and Networks – Five Sections
• 10: Log and Monitor Access to System Components – Seven Sections
• 11: Test System and Network Security Regularly – Six Sections
• 12: Support Security with Organizational Policies – Ten Sections

There are 251 total sub-requirements distributed across these Sections, most or all of which could be satisfied by a Customized Approach. But to do so, organizations need to document the details of their controls rigorously in a control matrix. They also need to document the specifics of risk analyses that account for and mitigate additional risks inherent to the custom controls.

The DSS contains several sample templates for control matrices and risk analyses. It’s not required to use these samples, but entities will need to include all the same information.

 

Responsibilities of the Assessor

While the implementation, maintenance, and documentation responsibilities of the assessed entity are robust, they do not cover the full scope of DSS compliance. The assessor’s role is equally important, as these third-party organizations are the ones who validate your controls.

The criteria that assessors must satisfy, per the DSS, include:

• Reviewing control matrix(es), risk analysis, and other evidence from the entity to understand the customized controls used and assess their comprehensiveness
• Deriving and documenting appropriate testing procedures for customized controls
• Testing customized controls to determine whether and how they:
  • Meet their requirements’ Customized Approach Objectives
  • Result in an “in place” (i.e., positive) finding for the requirement
• Maintaining independence with respect to control design and implementation

That last criterion is a critical one to keep in mind, as the QSA cannot be involved in advisement or any level of implementation for controls they are assessing. In most cases, this means that organizations seeking out advisory will need to work with multiple third parties for full validation.

Customized Approach Considerations

The Customized Approach requires working with a QSA to generate a Report on Compliance (ROC), which is the highest level of reporting for PCI DSS validation. This means longer and more resource-intensive audits, which are typically reserved for organizations that process the highest volume of CHD. If your organization already required the ROC, there’s no additional burden. But if it could potentially self-assess, that might be worth considering instead.

And, as noted above, the Customized Approach is designed for organizations with mature security already in place who can meet the Defined Requirements but are choosing to meet different ones. The approach is not designed for organizations that are unable to meet the baseline requirements. In those situations, organizations can look into compensating controls.

Compensating control implementation works similarly to the Customized Approach, but it is designed to allow compliance for organizations with a legitimate business or technical barrier to complying with one or more sub-requirements. As such, compensating controls cannot be used for the Customized Approach to a given sub-requirement, but both techniques can be used on different sub-requirements within the same implementation and assessment process.

 

Optimize Your PCI DSS Compliance

Organizations considering the Customized Approach to compliance need to be aware of their role and the responsibilities that come along with it. They’ll need to work with an assessor and complete a full ROC, and there are significant reporting and documentation burdens on them.

RSI Security is both an advisor and assessor for PCI validation. We are committed to helping organizations prepare for, achieve, and maintain compliance. We understand that the right way is the only way to keep data safe; we’ll help you select and execute the best approach for you.

To learn more about the PCI DSS 4.0 roles and responsibilities, contact RSI Security today!