Authored by Brian Odian for VikingCloud’s Compliance Elements Series, available on YouTube.
PCI DSS 4.0, just released, brings about 2 approaches for implementing and validating the requirements. There is the Defined Approach and the Customized Approach.
As per the standard the Defined Approach “Follows the traditional method for implementing and validating PCI DSS and uses the Requirements and Testing Procedures defined within the standard.” What remains as part of this approach is Compensating Controls. Again, as stated in the new standard “As part of the defined approach, entities that cannot meet a PCI DSS requirement explicitly as stated due to a legitimate and documented technical or business constraint may implement other, or compensating controls, that sufficiently mitigate the risk associated with the requirement.”
Where things really change up is the Customized Approach. This approach was designed to support innovations in cyber security and allow flexibility in showing how an entities security controls meet a PCI DSS objective. It’s suited for risk-mature companies that account for the new approach. The Customized Approach according to the standard “Focuses on the Objective of each PCI DSS requirement (if applicable), allowing entities to implement controls to meet the requirement’s stated Customized Approach Objective in a way that does not strictly follow the defined requirement.”
You can have a mix of the Defined and Customized Approach in your environment and subsequent assessment. However, note that “the controls implemented and validated using the customized approach are expected to meet or exceed the security provided by the requirement in the defined approach. The level of documentation and effort required to validate customized implementations will also be greater than for the defined approach.”
So, the choice is yours but recognize that one approach does take more effort than the other.
