This blog is the third in a series of articles on the customized approach. The first article in this series provided a high-level overview of the customized approach and explored the difference between compensating controls and the customized approach. The second article focused on considerations for entities thinking about implementing a customized approach and provided details about the customized approach resources included in PCI DSS and the PCI DSS Report on Compliance Template. This article focuses on roles and responsibilities for the customized approach, both for the entity developing and implementing a customized approach and for the assessor when reviewing a customized approach as part of a PCI DSS assessment.
The customized approach was introduced in PCI DSS v4.0 to support increased flexibility for organizations using different methods to achieve security objectives. The customized approach was developed in response to feedback from our stakeholders that they wanted more flexibility to use innovative technologies to achieve security objectives. These new technologies often do not fit within the traditional method for implementing and validating PCI DSS.
In this post, Lauren Holloway, Director, Data Security Standards, addresses some common questions about the customized approach.
What is the assessed entity’s role in the customized approach?
Lauren Holloway: The assessed entity designs, develops, analyzes, implements, and maintains its customized controls, including the following steps:
- Review the customized approach information included in PCI DSS, including in Section 8, Requirement 12.3.2, and Appendices D and E.
- Define and document each customized control, including a description of how the control meets the requirement’s objective. A Sample Controls Matrix is included in PCI DSS Appendix E1.
- Perform and document a targeted risk analysis that shows the customized control is sufficiently robust to provide at least the equivalent protection as the Defined Requirement. A Sample Targeted Risk Analysis Template is included in PCI DSS Appendix E2.
- Perform and document testing that confirms each customized control is effectively meeting the requirement’s objective.
- Describe how the effectiveness of each control is monitored and maintained over time.
- Communicate early with your assessor about plans to implement a customized approach.
- Provide all documentation about each customized control to your assessor.
It is important that the assessed entity internalizes responsibility for any customized controls and takes active ownership of their implementation.
What is the assessor’s role in assessing the customized approach?
Lauren Holloway: The assessor receives all customized approach documentation from the entity and performs the following steps:
- Review the entity’s documentation to fully understand the customized control.
- Confirm that each customized control is sufficiently documented, and that the documentation includes all required information, and describes how the customized control provides at least the equivalent protection as the Defined Requirement.
- Derive robust testing procedures that result in thorough testing of each customized control.
- Test each customized control implementation to determine whether it:
- Meets the requirement’s Customized Approach Objective,
- Is maintained to ensure ongoing effectiveness, and
- Results in an In Place finding.
- Document the controls, derived testing procedures, testing results, and other relevant details in the ROC, both at the requirement and in the ROC Appendix E.
Can a QSA company design or implement customized controls on behalf of an organization?
Lauren Holloway: While QSA Employees may assist entities with the design or implementation of customized controls, QSA Companies must adhere to the independence requirements defined in the QSA Qualification Requirements and QSA Program Guide. This includes having separation of duties controls in place to ensure that QSA Employees conducting or assisting with a PCI DSS assessment are independent and not subject to any conflict of interest.
It would be a conflict of interest for a QSA Employee that was involved in the design or implementation of a customized control to derive testing procedures for, assess, or assist with the assessment of, that customized control. Refer to FAQ 1562 “Is a QSA Employee that designs, develops, or implements specific controls for a customer also permitted to assess those same control?” on the PCI SSC FAQs page for more information.
While a QSA employee can provide consulting services related to the customized approach, an organization that needs a QSA to design or implement its customized controls may not be a good candidate for the customized approach since it may be difficult for them to maintain that control and ensure it continues to operate effectively. An organization with risk maturity, commitment, and the necessary resources to develop, implement, and maintain their own customized controls is more likely to achieve long term security effectiveness with those customized controls.