PCI DSS v4.0: The Customized Approach

  • Home
  • Blog
  • PCI DSS v4.0: The Customized Approach

Organizations needing to comply with the Payment Card Industry Data Security Standard (PCI DSS) will already be familiar with the defined approach as, historically, this is how companies demonstrate compliance. In short, it means meeting the required standard as per the definition set out by the PCI council. However, the release of PCI DSS version 4.0 means there are new, customized ways to demonstrate compliance.

Version 4.0, released in March 2022, made significant changes to PCI DSS, helping organizations meet the evolving needs of the payment security sector. There is a greater focus on security as a continuous process and increased flexibility in how organizations meet the requirements.

We are currently in a period of transition where organizations are allowed to retain their compliance against PCI DSS v3.2.1, which is valid until 31 March 2024, or choose to adopt the newer v4.0. However, SureCloud advises organizations to start their journey towards PCI DSS v4.0 as soon as possible.

PCI DSS v4.0 promotes security as a continuous process with new controls to address sophisticated cyberattacks.

The purpose of the customized approach

The most common discussion between a Qualified Security Assessor (QSA) and their client is the need to meet the specific and strict requirements of PCI DSS v3.2.1. In the past, organizations had no choice but to comply via the defined approach. However, PCI DSS v4.0 allows companies to design a bespoke framework to meet the requirements in a way that works for their business.

For organizations wishing to implement a customized framework, SureCloud recommends the following roadmap:

Select: Your organization must decide whether to use a customized or defined approach, as stated by PCI DSS. Once the decision has been made, we’d advise informing your compliance-accepting entity (acquirer/payment brand).

Plan: The customized approach must be planned and implemented before an assessment. Documentation and processes must be completed to ensure the approach meets the control requirement.

Consult: Whether you’re using a customized approach for one or several different requirements, they must meet the definition of each requirement as stated in PCI DSS. We recommend consulting a QSA to ensure all requirements have been met. Failure to do this could result in being non-compliant and a failed assessment.

Implement: Once you’re confident your framework is acceptable and you can maintain the appropriate documentation and processes, the control is ready to be deployed. You can then enjoy the rewards of a holistic approach to security that benefits your business.

This new update allows businesses to add greater flexibility to different organizational methodologies.

Which controls cannot be customized?

Unfortunately, not all PCI DSS requirements can be customized. The ones that aren’t included are arguably the most important. Therefore, both approaches must be implemented following the guidelines set out by the council:

Requirement 3.3.1: Do not store Sensitive Authentication Data (SAD) after authorization.

Requirement 3.3.2: Encrypt the SAD that you store before authorization.

Requirement 11.3.2: Use an Approved Scanning Vendor (ASV) to provide external vulnerability scans at least once every three months; and rescans if required to show remediation activity.

The implementation process

Before starting the implementation process, it’s important to understand each PCI DSS requirement, as your existing architecture may help you meet them.

Select which elements of the requirement will be met by the customized approach. Version 4.0 also allows your organization to use different approaches for various sub-requirements. For example, a customized approach can be used for one aspect and a defined approach for the rest. It is important to note using a customized approach is not an easier option. It requires detailed planning, documentation, and reporting. At SureCloud, we believe organizations should limit the use of this method.

Where possible, organizations should design their customized approach. You understand your environment and business activity better than anyone else. However, if required, you can engage with a QSA for assistance. The same QSA cannot be used to assess those controls met by a customized approach.

Before a customized approach can be implemented, organizations must perform a Targeted Risk Analysis (TRA). This should be repeated periodically, and daily or weekly evidence must be collected. It’s essential to start collecting evidence early, as it could be required to show how effective the approach has been.

Finally, test the control thoroughly and regularly to ensure it achieves the desired objectives and meets the intended requirement. The control should also be continuously maintained, as this will support its ongoing effectiveness.

PCI DSS v3.2.1 will remain active for two more years, but SureCloud recommends transitioning to v4.0 sooner rather than later.

Organizational and assessor responsibilities

The Payment Card Industry Standard Security Council (PCI SSC) places a lot of emphasis on the understanding of roles within the framework, especially for the customized approach. The two primary roles in this scenario are the organization and the assessor. The table below details the responsibilities of each entity:

Organizations ResponsibilityAssessors Responsibility
Understand the customized approach and its supporting requirements, as set out in PCI DSS v4.0Independent QSA to review all documentation
Define and document each customized approachConfirm the control is meeting the requirement to a sufficient standard. Supply all relevant documentation
Perform Target Risk Analysis (TRA) for each customized approachCreate a robust testing procedure for use in the assessment
Perform and document testing to evidence the control is operating effectivelyTest the control
Communicate with the assessor to inform them of your use of a customized approachDocument all of the above and the test results
Provide all evidence of TRA and control testing during your assessment

Would you like to talk to us and find out more about our services?

Please fill in the form below and one of the team will get in touch.