Organizations needing to comply with the Payment Card Industry Data Security Standard (PCI DSS) will already be familiar with the defined approach as, historically, this is how companies demonstrate compliance. In short, it means meeting the required standard as per the definition set out by the PCI council. However, the release of PCI DSS version 4.0 means there are new, customized ways to demonstrate compliance.
Version 4.0, released in March 2022, made significant changes to PCI DSS, helping organizations meet the evolving needs of the payment security sector. There is a greater focus on security as a continuous process and increased flexibility in how organizations meet the requirements.
We are currently in a period of transition where organizations are allowed to retain their compliance against PCI DSS v3.2.1, which is valid until 31 March 2024, or choose to adopt the newer v4.0. However, SureCloud advises organizations to start their journey towards PCI DSS v4.0 as soon as possible.
The most common discussion between a Qualified Security Assessor (QSA) and their client is the need to meet the specific and strict requirements of PCI DSS v3.2.1. In the past, organizations had no choice but to comply via the defined approach. However, PCI DSS v4.0 allows companies to design a bespoke framework to meet the requirements in a way that works for their business.
For organizations wishing to implement a customized framework, CSA recommends the following roadmap:
Select: Your organization must decide whether to use a customized or defined approach, as stated by PCI DSS. Once the decision has been made, we’d advise informing your compliance-accepting entity (acquirer/payment brand).
Plan: The customized approach must be planned and implemented before an assessment. Documentation and processes must be completed to ensure the approach meets the control requirement.
Consult: Whether you’re using a customized approach for one or several different requirements, they must meet the definition of each requirement as stated in PCI DSS. We recommend consulting a QSA to ensure all requirements have been met. Failure to do this could result in being non-compliant and a failed assessment.
Implement: Once you’re confident your framework is acceptable and you can maintain the appropriate documentation and processes, the control is ready to be deployed. You can then enjoy the rewards of a holistic approach to security that benefits your business.
Unfortunately, not all PCI DSS requirements can be customized. The ones that aren’t included are arguably the most important. Therefore, both approaches must be implemented following the guidelines set out by the council:
Requirement 3.3.1: Do not store Sensitive Authentication Data (SAD) after authorization.
Requirement 3.3.2: Encrypt the SAD that you store before authorization.
Requirement 11.3.2: Use an Approved Scanning Vendor (ASV) to provide external vulnerability scans at least once every three months; and rescans if required to show remediation activity.
Before starting the implementation process, it’s important to understand each PCI DSS requirement, as your existing architecture may help you meet them.
Select which elements of the requirement will be met by the customized approach. Version 4.0 also allows your organization to use different approaches for various sub-requirements. For example, a customized approach can be used for one aspect and a defined approach for the rest. It is important to note using a customized approach is not an easier option. It requires detailed planning, documentation, and reporting. At SureCloud, we believe organizations should limit the use of this method.
Where possible, organizations should design their customized approach. You understand your environment and business activity better than anyone else. However, if required, you can engage with a QSA for assistance. The same QSA cannot be used to assess those controls met by a customized approach.
Before a customized approach can be implemented, organizations must perform a Targeted Risk Analysis (TRA). This should be repeated periodically, and daily or weekly evidence must be collected. It’s essential to start collecting evidence early, as it could be required to show how effective the approach has been.
Finally, test the control thoroughly and regularly to ensure it achieves the desired objectives and meets the intended requirement. The control should also be continuously maintained, as this will support its ongoing effectiveness.
The Payment Card Industry Standard Security Council (PCI SSC) places a lot of emphasis on the understanding of roles within the framework, especially for the customized approach. The two primary roles in this scenario are the organization and the assessor. The table below details the responsibilities of each entity:
Organizations Responsibility | Assessors Responsibility |
Understand the customized approach and its supporting requirements, as set out in PCI DSS v4.0 | Independent QSA to review all documentation |
Define and document each customized approach | Confirm the control is meeting the requirement to a sufficient standard. Supply all relevant documentation |
Perform Target Risk Analysis (TRA) for each customized approach | Create a robust testing procedure for use in the assessment |
Perform and document testing to evidence the control is operating effectively | Test the control |
Communicate with the assessor to inform them of your use of a customized approach | Document all of the above and the test results |
Provide all evidence of TRA and control testing during your assessment |