The Customized Approach in PCI DSS v4.0.1 gives organizations greater flexibility in protecting cardholder data. Rather than relying on a rigid checklist, companies can define tailored security controls that fit their IT landscape and risk profile, as long as the required security objectives are achieved. This allows organizations to implement individual controls for specific requirements and leverage existing synergies instead of maintaining parallel control systems.
Thus, the Customized Approach initially seems like a flexible method for meeting specific requirements. But how can theory be turned into a robust concept for practical implementation? Our colleague Nur Ahmad, Managing Security Consultant and QSA, has already been successful in implementing the Customized Approach and shows what really counts in practice and which best practices have already proven themselves.
How does the Customized Approach work?
The Customized Approach now also enables companies to define and implement their own security measures for individual PCI DSS requirements. The individually developed measures must demonstrably meet the defined security objective of the respective requirements.
| Example Requirement | Customized Approach Objective | Standard Control | Custom Control | Benefit |
|---|---|---|---|---|
| Behavioral biometrics for authentication (Requirements 8.3.1 - 8.3.6) | Authentication for access to the Cardholder Data Environment (CDE) | Multi-factor authentication with password and token | Integration of behavioral biometrics (e.g., typing patterns, mouse movements) as an additional factor | Difficult to steal or replicate, improves usability and security |
| AI for anomaly and fraud detection (Requirements 10.4.1 - 10.4.2) | Monitoring and rapid detection of security incidents | IDS/IPS and routine log analysis | Use of machine learning for real-time analysis of network traffic and detection of anomalies | Faster and more accurate threat detection than conventional systems |
While organizations benefit from greater flexibility and innovation, they also assume more responsibility. Ensuring that these Customized measures remain PCI DSS compliant becomes the central challenge.
From standard requirements to tailored solutions: Practical perspective
Our auditors addressed precisely this challenge in a client project: Instead of implementing requirement 3.4.2 of PCI DSS according to the defined standard, the client chose the Customized Approach.
When using remote-access technologies, technical controls prevent copy and/or relocation of PAN for all personnel, except for those with documented, explicit authorization and a legitimate, defined business need.
Requirement 3.4.2 in PCI DSS v4.0.1 (Source)
The task of our project team was to develop a suitable test procedure to verify whether the implemented controls fully and effectively meet the objectives of the Customized Approach. Specifically, the PAN must not be copied or moved by unauthorized persons using remote access technologies. As part of the assessment, our auditors reviewed the control matrix provided by the customer, a targeted risk analysis, and evidence of the effectiveness of the measures, e.g., pentest reports and other specific documentation. On this basis, the project team developed appropriate test procedures, documented them, and systematically evaluated each individual control measure. The details of the test procedures and the results of the tests were included in the Report on Compliance (RoC).
From theory to practice
What initially appears to be the structured processing of individual process steps turns out, on closer inspection, to be a complex and challenging audit process in which our auditors had to consider the following aspects:
Independence of Qualified Security Assessors (QSAs)
When applying the Customized Approach according to PCI DSS v4.0.1, a clear distinction between roles is crucial. A QSA who was involved in the design, development, and implementation of individual measures may not audit them. To ensure an independent and objective assessment, two auditors are therefore required: The first QSA provides technical support for the measure, while a second, independent QSA conducts the audit, tests the implementation, and finally evaluates it.
Interdisciplinary collaboration and documentation
Careful documentation plays a crucial role in implementing the Customized Approach. Both the control matrix on which it is based and the targeted risk analysis must be recorded comprehensively and transparently. It is particularly important that the QSA maintains regular contact with the client in order to explain the required content in the documents clearly and in detail. In addition, it is the responsibility of the second QSA conducting the audit to thoroughly review the controls implemented to ensure that the requirements of the Customized Approach are met.
Continuous review and adjustment
Since the Customized Approach is highly individualized, measures must be evaluated regularly and adjusted as necessary in order to remain effective in the long term.
How was this approach implemented in the project?
Together with the client, our auditors applied the Customized Approach to meet the objective of requirement 3.4.2. To this end, a solution was developed that clearly structures remote access, documents it transparently, and controls it through defined approval processes. This ensured that PANs could only be processed in permissible, authorized scenarios when using remote access technologies. Close cooperation between the client team members and QSAs resulted in a customized, auditable solution that could be seamlessly integrated into the existing system landscape.
Key success factors for the Customized Approach: Our recommendations
Based on these experiences, our auditors have developed practical recommendations and best practices that can help you efficiently implement the Customized Approach in the future:
- Timing: Start early to manage the high level of effort required for documentation and testing.
- Comprehensive documentation: Create detailed control matrixes and targeted risk analyses using the official PCI SSC templates.
- Responsibilities: Define which documents and tests are to be prepared by the company and which by the QSA.
- Regular communication with the QSA: Maintain close dialogue to understand requirements and implement them correctly.
- Thorough internal testing: Carefully test and document all individual controls before the audit.
- Risk-based approach: Justify deviations from the standard with comprehensive risk analyses.
- Sufficient resources: Plan time, personnel, and expertise for the increased complexity.
- Continuous review: Evaluate and regularly adapt measures to current risks.
Have you already discussed implementing the Customized Approach in your company? Or do you need help preparing for or implementing PCI DSS in your company? Contact us.
