Is the Customized Approach in PCI DSS 4.0 right for me?

What is a “Customized Approach”?

Historically, PCI DSS has published a defined approach to implementing the required security controls.  The standard outlined the compensating controls an organization could implement to achieve compliance. 

 If a particular control didn’t work for an organization, they had the option to document the issue and implement compensating controls to fill the gap.

The new PCI DSS v4 customized approach provides an alternative to the defined approach and compensating controls path to compliance. Instead, organizations can design and implement their own controls to meet the Customized Approach Objective for a particular requirement. 

Read our blog on the PCI 4.0 timelines to learn more.

What’s the different between a compensating vs customized control?

Compensating and customized controls differ in how an organization approaches a particular requirement.  A compensating control is used when an organization attempts to implement controls required by the defined approach, falls short of compliance, and needs to implement additional controls.  A customized control replaces the defined control entirely with a different control that achieves the same objective.

For example, PCI DSS has several requirements designed to improve account security by requiring strong, random passwords.  However, an organization could meet the intended goals by implementing a passwordless authentication system that authenticates a user based on biometrics and/or possession of a trusted device or smartcard.  A passwordless multi-factor authentication (MFA) system could meet PCI DSS objectives but renders certain requirements — such as minimum password length — meaningless. 

Why allow customized approaches?

The PCI SSC introduced the customized approach to provide additional flexibility to organizations subject to the PCI DSS.  The requirements outlined in the defined approach to compliance are designed to work for every organization that holds and processes payment card data.  A “one size fits all” approach means that these requirements are unlikely to perfectly meet an organization’s needs.

By moving away from a “one size fits all” approach, the PCI SSC enables organizations to better tailor security architectures to their needs and to implement more advanced or evolved security solutions than the PCI DSS requirements specify.  Regulatory requirements tend to lag behind the cutting edge of security technology.  By allowing customized approaches, the PCI SSC is trying not to restrict companies looking to go above and beyond regulatory requirements.

How do I implement a customized approach?

In general, the customized approach introduced in PCI DSS v4 is intended for organizations with a mature, risk-based security program.  This is because implementing the customized approach often requires more effort than the defined approach, which describes exactly what an organization needs to do to achieve compliance.

With a customized approach, an organization needs to perform a risk analysis and generate a controls matrix for each customized control they implement.  Templates for each are published in Appendix E of the standard.  Each risk assessment must be reviewed and approved by an executive within the company.

After implementing a customized control, the organization is also responsible for long-term monitoring and testing to determine the effectiveness of the control.  This requires additional effort to develop metrics and set up monitoring.

Customized controls also have requirements for the PCI DSS assessor.  During a PCI DSS audit, the Qualified Security Assessor (QSA) is responsible for reviewing each customized control, designing and enacting a test plan, and documenting the results.  This will likely add to the time and expense of completing a PCI DSS audit.

This need for independence is also why customized controls can only be implemented by organizations that have a Report On Compliance (ROC) performed by a QSA.  Companies that achieve compliance via a Self-Assessment Questionnaire (SAQ) can’t use customized controls unless they voluntarily undergo a ROC.

The pros and cons of customized controls for PCI

Customized controls provide organizations with greater flexibility when pursuing PCI DSS compliance.  Some benefits include the following:

• Tailored security: The defined approach to PCI DSS compliance only allows flexibility in the form of compensating controls.  The customized approach allows an organization to design security controls that better meet its needs.
• Up-to-date technology: Security technologies described in the defined approach are likely to lag behind the state-of-the-art solutions in the market today.  Customized controls allow companies to use any solution that meets regulatory requirements.

However, customized controls also have their downsides.  Some important factors to consider when choosing between the defined and customized approaches to compliance include the following:

• Limited access: Customized controls are only available to companies undergoing a ROC.  Organizations that achieve compliance via SAQs are not eligible.
• Additional overhead: Implementing a customized control requires more work than the equivalent defined control.  An organization will have to perform a risk assessment and demonstrate that the control meets the relevant requirements. You may also need to assess the impact of your customized control on other controls as part of an assessment.  
• Costlier audits: A QSA reviewing defined controls can rapidly determine if an organization is compliant with a requirement.  Customized controls require more work for the QSA, which increases the cost and duration of the audit.

Should I take a customized approach to PCI DSS?

Designing, implementing, and monitoring a customized control requires more time, resources, and expertise than the defined approach. That means an organization should only turn to customized controls when it provides a clear, significant benefit to the organization. 

Additionally, PCI DSS’s independence requirements mean that a QSA can’t help with both designing and implementing customized controls.  This means that an organization either needs to have the expertise to design and implement a custom control in-house or work with a third-party provider or a different independent QSA.

The bottom line on PCI DSS customized approach

The option for customized approaches to compliance makes PCI DSS compliance more flexible but isn’t intended to make it easier.  A custom approach to compliance is more expensive and complicated than following the defined approach.  Therefore, customized controls only make sense if they provide a significant return on investment (ROI) that outweighs the additional effort needed to design, implement, and maintain them.

Alternatively, you can use tokenization providers, like Basis Theory, to satisfy as much as 99% of the effort required by PCI 4.0. Learn more and get your own PCI-compliant environment stood up for free in as little as 5 minutes.