Truvantis Blog

The New Customized Approach for PCI DSS Version 4 - The PCI Dream Team

Written by Truvantis | Jul 29, 2023 6:03:28 AM

The Truvantis Risk Radar welcomed the PCI Dream Team to the first stop of their 2023 book tour. Their new book is called, “The Definitive Guide to PCI DSS Version 4 ”.  The authors have more than 50 years of combined PCI experience. When it comes to PCI DSS, they’ve seen it all, been there, and done that and are sharing their combined knowledge with us to make our PCI journeys easier.  

In part two of our three part interview, we dive deeper into PCI, DSS Version 4, starting with big changes regarding the all new customized approach to PCI DSS compliance and how it will stir controversy in the field. 

“With the customized approach, I think we're going to have even more turbulence and turmoil. At the end of the day, the ultimate arbiter of whether they meet that requirement is going to be the QSA, which I think is going to create a little bit more friction.” – David Mundhenk on The Truvantis Risk Radar show 

“Everybody thinks because something's old, like a mainframe, that it's a bad thing. And at the end of the day, mainframes today can do everything that Linux, Windows and all this other stuff can do. New stuff that people write just isn't as proven. As a result, if you run into problems, 99% of the time, it's because the code isn't that old.”  – Jeff Hall on The Truvantis Risk Radar show.

“The newly sanctioned Customized Approach focuses on the overall objective of the requirement rather than the requirements and testing procedures as written. When using this approach, every implementation will be different as there are ”NO” defined testing procedures, and the assessor will actually be responsible to come up with testing procedures that “WILL“  adequately test the entity’s customized implementation.” - The Definitive Guide to PCI DSS Version 4 -pg. 221

“The newly sanctioned Customized Approach focuses on the overall objective of the requirement rather than the requirements and testing procedures as written. When using this approach, every implementation will be different as there are ”NO” defined testing procedures, and the assessor will actually be responsible to come up with testing procedures that “WILL“  adequately test the entity’s customized implementation.” - The Definitive Guide to PCI DSS Version 4 -pg. 221 

“A compensating control AND the customized approach CAN be used for the same requirement.”“BREATHE, BREATHE, and you will get what we are stating in this example.” - pg. 224 

Listen to the Full Interview  

For the full interview please visit The Truvantis Risk Radar YouTube channel or listen to the podcast. 

About Truvantis 

Truvantis® is a security, privacy and compliance consulting organization providing best-in-class services to secure your organization's infrastructure, data, operations and products. We specialize in helping our clients improve their cybersecurity posture by implementing testing, auditing and operating information security programs. 

References: