GRC Manager POV: I Can Customize My Own Controls for PCI DSS Compliance?
PCI ISA POV: Hold my beer.
The new PCI DSS v4.0 Customized Approach isn’t the “woo hoo” or magic PCI fairy dust you’ve been looking for.
No. It’s not a free pass to do whatever you want.
It’s not a compliance time saver, either.
Sorry. It’s not a compliance cost cutter.
And no, it’s not the same as a compensating control.
Here's 7 Fast Facts You Need To Know About The Customized Approach
1. You need a targeted risk analysis (TRA) for every control you decide you want to use the customized approach.
2. You need to complete the Controls Matrix in the PCI DSS Requirements and Testing Procedures in Appendix E, page 335, for each and every control you want to “customize.”
3. The TRA must be reviewed and approved and you must maintain that as documentation evidence.
4. You must be periodally review the TRA and customized control to ensure it’s working as advertised.
5. Your QSA must derive, perform, and validate the testing procedure used for the customized approach (this WILL cost you extra!)
6. If your QSA consults on a customized approach control, they can’t assess it.
‼️ 7. The Customized Approach is an option available only to merchants that must complete a Report on Compliance assessment‼️
Moral of the story: if you can meet the defined approach, do that.
Repeatable processes and proven templates help improve your PCI DSS compliance maturity as well as save you time so that you can focus your attention on assessing evidence or continuous compliance.