The customized approach is a brand new concept onboarded in PCI DSS 4.0 to provide flexibility in the way the PCI requirements are met either by strictly following the defined approach at the letter as for the early versions of the standard or by following another path leading to the same objectives. All roads lead to Rome!
- It is up to each entity to determine whether and where to follow the defined approach or the customized approach.
- The use of the customized approach will require greater initial effort to ensure the controls are properly implemented and can be effectively assessed.
- Controls met through a customized approach must be supported by a risk assessment, proper documentation (see below) and proper testing
- The customized approach can only be used for RoCs (Report of Compliance) and not SAQs (Self Assessment Questionnaires).
- About 12% of the PCI DSS controls are not eligible for a customized implementation.
- Customized approach cannot be used mid-assessment to correct something that is not compliant.
- Entities wishing to use the customized approach should consult with their compliance-accepting entity (acquirers or payment brands) to understand any related requirements or impacts.
- A QSA may assist with defining customized approaches but it cannot be the same QSA as the one performing the assessment.
- The adequacy of customized approaches, the design, the implementation is left to the discretion of the QSA's.
- It is recommended that entities design, implement, and document the controls for a customized approach long before the PCI DSS assessment begins.
For each PCI control implemented through a customized approach, the following information is expected to be documented:
- What is the name of the customized control
- What is the associated PCI control Id
- What is the customized approach objective (check customized approach column of the PCI Compliance Dashboard)
- Description of the implemented control
- Where is the control implemented
- When is the control performed
- Who is responsible and accountable for this control
- Who is involved in managing, maintaining, and monitoring the control
- How the implemented control meets the stated defined objective (defined in the standard)
- What are the tests performed to prove the control meets the stated objective
- Brief description of the results of the risk analysis for this control. (See below)
- How the control is maintained and how the control's effectiveness is assured.
How the PCI 4.0 Compliance Dashboard could help?
The PCI DSS 4.0 Compliance Dashboard provides in one view all information you need to consider for your compliance journey. In the context of the customized approach, it includes the defined approach requirements, the customized approach objectives, controls not subjected to customized approach as well as a register for the documentation of controls met with a customized approach with all the above information.