GRC Manager POV: I Can Customize My Own Controls for PCI DSS Compliance?
PCI ISA POV: Hold my beer.
The new PCI DSS v4.0 Customized Approach isn’t the “woo hoo” or magic PCI fairy dust you’ve been looking for.
No. It’s not a free pass to do whatever you want.
It’s not a compliance time saver, either.
Sorry. It’s not a compliance cost cutter.
And no, it’s not the same as a compensating control.
Here's 7 Fast Facts You Need To Know About The Customized Approach
1. You need a targeted risk analysis (TRA) for every control you decide you want to use the customized approach.
2. You need to complete the Controls Matrix in the PCI DSS Requirements and Testing Procedures in Appendix E, page 335, for each and every control you want to “customize.”
3. The TRA must be reviewed and approved and you must maintain that as documentation evidence.
4. You must be periodally review the TRA and customized control to ensure it’s working as advertised.
5. Your QSA must derive, perform, and validate the testing procedure used for the customized approach (this WILL cost you extra!)
6. If your QSA consults on a customized approach control, they can’t assess it.
‼️ 7. The Customized Approach is an option available only to merchants that must complete a Report on Compliance assessment‼️
Moral of the story: if you can meet the defined approach, do that.
Be sure to check out our PCI DSS v4.0 Fast Facts series in the Nolan & Cressey PCI Training and Resource Center.
In this series we cover:
- The Customized Approach
- Targeted Risk Analysis for the Customized Approach
- INFI
- x.1.2 requirements
- 12.5.2: the new requirement for SCOPE
What you need to know in 2024 as you dive into your first v4.0 Report on Compliance!
