PCI DSS 4.0 Offers New Customized Approach to Achieve Compliance
For the first time in the history of the DSS, PCI DSS 4.0 offers organizations the ability to customize the controls that they rely upon to secure their environments. The new Standard still contains a prescriptive set of controls that can be used to achieve compliance, but also allows for alternative approaches on how compliance is achieved. The Council’s new customized approach supports innovation in security practices within organizations whose risk management posture is already robust and mature.
The latest Standard allows for alternative approaches to achieving compliance over the given, prescriptive framework, provided the same level of security is achieved. This approach recognizes that organizations have differing risk profiles and therefore differing security needs, and that a one-size-fits-all approach may not fit the payment card landscape today.
For example, PCI DSS 4.0 allows for alternative methods of authentication. The new Standard recognizes that traditional methods of authentication, such as passwords, may not be sufficient to protect against modern threats. As a result, PCI DSS 4.0 allows for the use of multi-factor authentication (MFA), biometrics and other alternative methods of authentication, provided that they meet certain requirements which are clearly spelled out in the Guidance and Objectives in the Standard.
It is important to note that the use of this customized approach comes with strings attached. Any entity choosing to customize its approach to any applicable DSS requirement must satisfy the following additional criteria:
- Document and maintain evidence about each customized control, including all information specified in the Controls Matrix Template in Appendix E1.
- Perform and document a targeted risk analysis (PCI DSS Requirement 12.3.2) for each customized control, including all information specified in the Targeted Risk Analysis Template in Appendix E2.
- Perform testing of each customized control to prove effectiveness, and document testing performed, methods used, what was tested, when testing was performed and results of testing in the controls matrix.
- Monitor and maintain evidence about the effectiveness of each customized control.
- Provide completed controls matrix(es), targeted risk analysis, testing evidence, and evidence of customized control effectiveness to its assessor.
It would be beneficial to have a conversation with your Qualified Security Assessor (QSA) as you set out to build your customized approach documentation. After all, they will be assessing the effectiveness of your customized control program during your next 4.0 assessment.
An important distinction about the customized approach is that it is not the same as using a compensating control. PCI DSS 4.0 still allows for the use of compensating controls to achieve compliance. Compensating controls are alternative security measures that can be used to mitigate risk when the prescribed PCI DSS requirement cannot be met. For example, if an organization cannot implement a particular security control due to technical or business constraints, it may be able to implement compensating controls that address the same risk as the prescribed control and meets or exceeds the security provided by the prescribed control. Consult with your QSA about what constitutes a compensating control vs. a customized requirement within your own environment.
By offering more flexibility in implementing controls, PCI DSS 4.0 enables organizations to take a more tailored approach to security and achieve compliance in a way better aligned with their specific needs and risk profiles. This approach can help organizations achieve a more effective security posture while reducing the cost and complexity of compliance efforts. However, it is important to note that any alternative approaches to compliance must maintain the same level of security as the standard requirements. Organizations should work closely with their QSA to ensure that any alternative approaches are appropriate and meet the requirements set forth in the Standard.
For more information or to connect with a Frazier & Deeter QSA, please contact:
Mindy Milliet, Partner, PCI | mindy.milliet@frazierdeeter.com
Aaron Getchius, Director, PCI | aaron.getchius@frazierdeeter.com
Contributors
Mindy Milliet, Partner, PCI
Aaron Getchius, Director, PCI
Explore related insights
-
IRS Targets Basis Shifting: New Reporting Requirements for Partnership Distributions
Read more: IRS Targets Basis Shifting: New Reporting Requirements for Partnership Distributions -
Frazier & Deeter Names Jeremy Jones as Incoming Managing Partner
Read more: Frazier & Deeter Names Jeremy Jones as Incoming Managing Partner