GRC Manager POV: I Can Customize My Own Controls for PCI DSS Compliance?
PCI ISA POV: Hold my beer.
The new PCI DSS v4.0 Customized Approach isn’t the “woo hoo” or magic PCI fairy dust you’ve been looking for.
No. It’s not a free pass to do whatever you want.
It’s not a compliance time saver, either.
Sorry. It’s not a compliance cost cutter.
And no, it’s not the same as a compensating control.
Here's 7 Fast Facts You Need To Know About The Customized Approach
1. You need a targeted risk analysis (TRA) for every control you decide you want to use the customized approach.
2. You need to complete the Controls Matrix in the PCI DSS Requirements and Testing Procedures in Appendix E, page 335, for each and every control you want to “customize.”
3. The TRA must be reviewed and approved and you must maintain that as documentation evidence.
4. You must be periodally review the TRA and customized control to ensure it’s working as advertised.
5. Your QSA must derive, perform, and validate the testing procedure used for the customized approach (this WILL cost you extra!)
6. If your QSA consults on a customized approach control, they can’t assess it.
‼️ 7. The Customized Approach is an option available only to merchants that must complete a Report on Compliance assessment‼️
Moral of the story: if you can meet the defined approach, do that.
Unless you’ve been living under a rock, PCI DSS v4.0 goes into effect on March 31, 2024. Here’s 4 key PCI DSS Compliance processes that you need to have in place by year end.
Reducing PCI DSS Scope is a good thing. Learn how to manage your Third Party Service Providers and maintain compliance with PCI DSS requirements 12.8-12.8.5 – Read More!
Despite misconceptions about PCI DSS compliance being unnecessary in certain scenarios, extensive education and remediation are often required. Payment Card Assessments addresses this knowledge gap with affordable PCI DSS training that offers varied resources such as on demand video courses and guidebooks. Now through May 28, PCA is currently promoting a 30% discount on all subscriptions and products, aiming to make compliance more accessible for different roles within organizations. Keep reading to get your discount code!