PCI DSS v4.0 Goal 3: Increasing flexibility of methods to achieve security objectives
September 12, 2022
At a glance
The main takeaway: PCI 4.0 provides two validation options for compliance with the DSS. The first is the Defined Approach, which is similar to PCI’s historic approach. The second validation option, or Customized Approach, requires entities to conduct targeted risk analysis, define and then deploy controls against each PCI requirement.
Impact on your business: PCI version 4.0’s Customized Approach results in entity-specific controls to address each PCI objective. There are not predefined PCI test procedures. The Custom Approach accommodates innovative technologies that involve risk management approaches not contemplated in the Defined Approach. However, it requires a mature risk management approach and extensive documentation.
Next Steps: Version 3.2.1 will be officially retired on March 31, 2024. Until this date, entities can select between version 3.2.1. or version 4.0 as the standard to demonstrate their PCI compliance status. Due to the considerable changes in version 4.0, Aprio believes it is in the best interest of your business to begin your transition to PCI DSS v4.0 as soon as feasibly possible.
Schedule a consultation with an Aprio PCI DSS Qualified Security Assessor today.
The full story
Primarily, PCI 4.0 increases flexibility to achieve security objectives by providing two validation options to demonstrate PCI compliance – the Defined Approach and the Customized Approach, which could also have been referred to as the risk-based approach.
The PCI version 4.0 Defined Approach for validation
The first option, which is referred to as the Defined Approach, is very consistent with that which has been required for prior versions of PCI DSS. The reason for now applying the label of “Defined Approach” to this historical method is to contrast it to the new approach. The label of Defined Approach makes sense because it specifically defines how the entity should meet security objectives. This approach also specifically defines the testing procedures that assessors should follow.
The Customized Approach for PCI validation
The new validation option introduced for version 4.0 is known as the Customized Approach. This could also have been referred to as the risk-based approach, because it requires the entity to conduct a targeted risk analysis for each requirement and then define and deploy controls that would effectively mitigate potential events that could negatively affect the security posture of the entity.
Because the Customized Approach results in entity-specific controls to address each PCI objective, there are not predefined PCI test procedures. Instead, the Customized Approach requires the entity to describe how the controls they have established meet the Objective of the specific PCI requirement. It also requires the entity to describe testing it has conducted to demonstrate that controls meet the objective.
In our view, the Customized Approach has much merit, and will increase in relevancy over time as entities increasingly deploy innovative technologies that involve risk management approaches not contemplated in the Defined Approach. However, because it requires such a mature risk management approach and extensive documentation, we expect most entities will continue with the Defined Approach for the foreseeable future.
Another change included in version 4.0 to increase flexibility is the application of the targeted risk analysis procedure to empower entities to establish frequencies for performing certain activities such as malware scans and POI device inspections, as well as periodic log reviews.
We have created a series of videos to drill down into the purpose and intent of these goals and the changes represented in 4.0 to achieve these goals.