Possibly one of the biggest and most anticipated changes introduced with PCI DSS v4.0 is the Customized Approach. The PCI SSC is pushing the Customized Approach as providing organizations with “flexibility” in complying with PCI DSS requirements. You may have even seen posts on LinkedIn and Twitter from people touting the flexibility that PCI DSS v4.0 provides through the Customized Approach. But, while the Customized Approach does provide flexibility, it is by no means an easy way to customize your PCI compliance.
Jeff Hall CISA, CISM, CDPSE, PCI QSA Jeff Hall is a Principal Security Consultant at Truvantis and was the founding President of the Minnesota InfraGard chapter, the public/private partnership between businesses and the US Federal Bureau of Investigation (FBI).
Watch Jeff discuss the Customized Approach with The PCI Dream Team on the Truvantis Risk Radar. |
|
First and foremost, the Customized Approach is not a replacement for the Compensating Control Worksheet (CCW). The CCW still exists as a way for organizations that cannot meet a PCI requirement because of a technical or business reason to still comply with the PCI DSS.
As defined in the ROC Reporting Template, the Customized Approach:
“Focuses on the Customized Approach Objective of each PCI DSS Requirement (if applicable), allowing entities to implement controls to meet the requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement. The customized approach supports innovation in security practices, allowing entities greater flexibility to show how their current security controls meet PCI DSS requirements. Refer to the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures for the Customized Approach Objective.
Note: Compensating Controls are not an option for the Customized Approach”
The best example of a customized approach would be an organization’s adoption of NIST SP800-63B for password guidance versus the PCI DSS v4.0 approach documented in requirements 8.3.6, 8.3.7, 8.3.8 and 8.3.9.
For an organization to use a Customized Approach, they must do the following.
- Document and maintain evidence about each customized control, including all information specified in the Controls Matrix Template in Appendix E1 of the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures.
- Perform and document a targeted risk analysis (PCI DSS Requirement 12.3.2) for each customized control, including all information specified in the Targeted Risk Analysis Template in Appendix E2 of the Payment Card Industry Data Security Standard (PCI DSS) Requirements and Testing Procedures.
- Perform testing of each customized control to prove effectiveness, and document testing performed, methods used, what was tested, when testing was performed, and results of testing in the controls matrix.
- Monitor and maintain evidence about the effectiveness of each customized control.
- Provide completed controls matrix(es), targeted risk analysis, testing evidence, and evidence of customized control effectiveness to its assessor.
The organization is required to write up the majority of the documentation for the Customized Approach. While that was also true for CCWs, the fact is that most CCWs were written by QSAs because most organizations were totally inept at writing them. With the Customized Approach, the forms explicitly call out those sections that are required to be written by the organization and those sections required to be completed by the QSA. So, there is no ambiguity in who does what and what they are required to provide.
These are not simple forms that will take minutes to fill out. These are multi-page documents that will require a significant amount of thought, effort and review for organizations to create and ensure they are accurate. In the case of our password example, that will likely result in many pages of documentation as well as significant testing to successfully get through the Customized Approach process because it will cover multiple requirements. Never mind all of the review time required by your QSA to ensure that all of this documentation is in proper order and properly replaces all of those requirements that you are now saying you no longer follow.
With the Customized Approach, not only does the QSA have to test the controls and document the results, but the organization itself also has to test the controls and provide the results of that testing to the QSA for review. That is a huge change and will likely have a tremendous impact on what controls get a Customized Approach and what controls do not because the effort required from the organization and QSA are going to significantly impact the time and cost it takes to complete the PCI assessment.
I know a lot of organizations at first thought that the Customized Approach was going to be a God send. But it is far from it based on the information being requested in the templates and forms that the Council has provided. In addition, all of these forms are likely going to be heavily scrutinized by the Council in their AQM reviews as well as by some acquiring banks.
So, while the Customized Approach provides the flexibility organizations were demanding, it comes with a significant price in documentation and testing. The lesson here is to be very careful what you ask for because you might just get it.
About Truvantis
Truvantis is a security, privacy and compliance consulting firm providing best-in-class services to secure your organization's infrastructure, data, operations and products.
We specialize in helping our clients improve their business resilience and manage their risk by implementing, testing, auditing and operating information security programs.
Our world-class services include security testing and a wide range of flexible compliance and vCISO programs. Truvantis is also an authorized PCI DSS Qualified Security Assessor (QSA) Company.
Jeff Hall
CISA, CISM, CDPSE, PCI QSA
Jeff Hall is a Principal Security Consultant at Truvantis and was the founding President of the Minnesota InfraGard chapter, the public/private partnership between businesses and the US Federal Bureau of Investigation (FBI).
Jeff is a skilled project manager and has delivered PCI DSS compliance projects that others thought were impossible. He is also an accomplished writer and communicator with a popular blog and has a busy speaking engagements calendar at various conferences and symposia.
Jeff’s latest book, The Definitive Guide to PCI DSS Version 4: Documentation, Compliance, and Management written in partnership with the PCI Dream Team, is available now on Amazon.