X
X

Find Your Specialist

X

Contact Us

Error: Contact form not found.

Go Back

PCI DSS 4.0 Offers New Customized Approach to Achieve Compliance

For the first time in the history of the DSS, PCI DSS 4.0 offers organizations the ability to customize the controls that they rely upon to secure their environments. The new Standard still contains a prescriptive set of controls that can be used to achieve compliance, but also allows for alternative approaches on how compliance is achieved. The Council’s new customized approach supports innovation in security practices within organizations whose risk management posture is already robust and mature.

The latest Standard allows for alternative approaches to achieving compliance over the given, prescriptive framework, provided the same level of security is achieved. This approach recognizes that organizations have differing risk profiles and therefore differing security needs, and that a one-size-fits-all approach may not fit the payment card landscape today.

For example, PCI DSS 4.0 allows for alternative methods of authentication. The new Standard recognizes that traditional methods of authentication, such as passwords, may not be sufficient to protect against modern threats. As a result, PCI DSS 4.0 allows for the use of multi-factor authentication (MFA), biometrics and other alternative methods of authentication, provided that they meet certain requirements which are clearly spelled out in the Guidance and Objectives in the Standard.

It is important to note that the use of this customized approach comes with strings attached. Any entity choosing to customize its approach to any applicable DSS requirement must satisfy the following additional criteria:

  • Document and maintain evidence about each customized control, including all information specified in the Controls Matrix Template in Appendix E1.
  • Perform and document a targeted risk analysis (PCI DSS Requirement 12.3.2) for each customized control, including all information specified in the Targeted Risk Analysis Template in Appendix E2.
  • Perform testing of each customized control to prove effectiveness, and document testing performed, methods used, what was tested, when testing was performed and results of testing in the controls matrix.
  • Monitor and maintain evidence about the effectiveness of each customized control.
  • Provide completed controls matrix(es), targeted risk analysis, testing evidence, and evidence of customized control effectiveness to its assessor.

It would be beneficial to have a conversation with your Qualified Security Assessor (QSA) as you set out to build your customized approach documentation. After all, they will be assessing the effectiveness of your customized control program during your next 4.0 assessment.

An important distinction about the customized approach is that it is not the same as using a compensating control. PCI DSS 4.0 still allows for the use of compensating controls to achieve compliance. Compensating controls are alternative security measures that can be used to mitigate risk when the prescribed PCI DSS requirement cannot be met. For example, if an organization cannot implement a particular security control due to technical or business constraints, it may be able to implement compensating controls that address the same risk as the prescribed control and meets or exceeds the security provided by the prescribed control. Consult with your QSA about what constitutes a compensating control vs. a customized requirement within your own environment.

By offering more flexibility in implementing controls, PCI DSS 4.0 enables organizations to take a more tailored approach to security and achieve compliance in a way better aligned with their specific needs and risk profiles. This approach can help organizations achieve a more effective security posture while reducing the cost and complexity of compliance efforts. However, it is important to note that any alternative approaches to compliance must maintain the same level of security as the standard requirements. Organizations should work closely with their QSA to ensure that any alternative approaches are appropriate and meet the requirements set forth in the Standard.

For more information or to connect with a Frazier & Deeter QSA, please contact:

Mindy Milliet, Partner, PCI | mindy.milliet@frazierdeeter.com

Aaron Getchius, Director, PCI | aaron.getchius@frazierdeeter.com

Related Articles

Privacy Overview

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.
Always Enabled
Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.
Functionality cookies are cookies that support features of the Site, such as remembering your preferences.
These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.
From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.