Investigations
Security
Capacity Building
Insights
About
Digital Threat Digest Insights Careers Let's talk

Understanding the PCI DSS v4.0 Customised Approach

PCI DSS

PCI DSS v4.0 became the only authorised standard on 31 March 2024. This means every organisation that needs to be PCI compliant, will need to adhere to this standard by 31 March 2025 at the very latest. For some organisations compliance with v4.0 is complete, but some may still have a few questions about the new standard, the processes involved, and how it compares to the previous PCI DSS v3.2.1.

What are the most important changes from the previous standard to PCI DSS v4.0?

The latest PCI DSS v4.0, is a major iteration of the Payment Card Industry Data Security Standard and it introduces numerous important changes compared to the previous version.

Our QSAs have pulled together some FAQs so that you get a better idea of what steps (if any) you still need to take.

Other key updates to the standard which we will cover in separate articles include:

  • Password Management Enhancements
  • Multi-Factor Authentication (MFA)
  • Identity & Access Management (IAM)
  • Increased focus on ASV scanning
  • E-skimming controls
  • Targeted Risk Analysis

What is the overall difference between Defined and Customised?

One of the most significant changes is that the standard now provides flexibility in the way you can comply with controls. There are now two approaches which can used:

Defined Approach: This has been used since PCI DSS first started and refers to requirements and testing procedures that are clearly defined within the standard.

Customised Approach: This new approach offers organisations an alternative way of complying with a control objective when implementing PCI DSS.

What are the major differences between the defined and customised approaches?

As mentioned above, the Defined Approach is how PCI DSS v3.2.1 requirements (and all previous PCI DSS versions) were implemented within organisations. The Compensating Controls (CCW) route in the Defined Approach can often be used in situations where there is a legacy system or process that cannot be updated to meet the requirement. This is described in PCI DSS v4.0 Appendix B.

The Customised Approach, introduced in PCI DSS v4.0, allows organisations to design and implement their own security controls to meet the intent of a particular requirement. This provides greater flexibility for organisations that want to use alternate security controls or new technologies that meet the PCI DSS requirements.

The major difference between these approaches is that the Customised Approach allows organisations the flexibility in designing processes using technology and security controls they already have in place in order to meet PCI DSS requirements. It is worth noting that CCW cannot be used with this Approach.

As an example of using a Customised Approach:

Requirement 8.3.9: If passwords are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either:

  • Passwords are changed at least once every 90 days, OR
  • The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.

With the Defined Approach, the organisational password policy will typically be used to enforce that users will need to change their password every 90 days. This is to reduce the risk that a password is compromised and will be misused indefinitely. Whereas the Customised Approach allows for a potential different way of addressing this risk; for example, not changing passwords as frequently but combining this with a strong detection and alerting system that will check for potential compromised passwords, and only then would passwords need to be changed.

How do I know which approach my organisation should use?

The Defined Approach is a more straightforward validation process as it applies to an existing ‘defined’ control. On the other hand, a Customised approach provides flexibility to use innovative technologies or modified security controls. If you’re in doubt, start by undertaking a Gap Analysis with a cyber security consultant. Once they have conducted the gap analysis, they will provide you with a report on the recommended course of action, including the approach that will best suit your organisation’s needs.

Importantly, the Customised Approach has been designed for organisations which are ‘Risk Mature’ – to leverage the range of specific security controls they may already have in place to adhere with other regulatory requirements.

Remember, every organisation has different needs and different security processes in place, so you need to look at taking an approach which will be tailored to suit the needs of your organisation, not a one-size-fits-all approach.

Here’s a quick look at the potential advantages and disadvantages of a Customised Approach:

Advantages

Disadvantages

Flexibility: Potentially provides a Merchant or Service Provider an alternative way to achieve a compliant PCI DSS control.

Increased set of documentation required. For example, Controls Matrix, and Risk Assessment.

Supports innovation: Allows entities to make use of other security controls they have in place to meet PCI DSS requirements.

Increased time for both the entity and the QSA. This would include maintaining evidence and testing within the organisation; and also for the QSA to test and review / verify effectiveness.

This approach can only be used for ROC reports not SAQ reports.

How is it going to impact my business?

Complying with PCI DSS v4.0 means you will need to update some of your current controls and processes. To truly understand how much work will be required and figure out which approach is best for your organisation, it is worth starting with a Gap Analysis.

What should I do if my current annual assessment was not carried out against PCI DSS v4.0?

Although it is very important to plan for future PCI DSS requirements under v4.0, only after 31 March 2024 do you need to attest compliance to the newest version. So, if you gained attestation to v3.2.1 prior to this date, it will be valid until you need to attest again.

Before then:

  • Assess the current status of your compliance transition from PCI DSS v3.2.1 to v4.0.
  • If you have just attested with v3.2.1, communicate with your relevant stakeholders, including your acquirer (bank) to verify that this is appropriate.
  • Plan for the 2025 / future-dated controls (see below).
  • Engage with Qualified Assessors for guidance and support.

Are there any other versions of PCI DSS my organisation can use?

On 31 March 2024, PCI DSS v4.0 officially superseded v3.2.1. This means that from 1 April 2024, your next PCI audit will be against the new version. Some new controls have been future-dated, so that organisations have further time to implement them. These are clearly marked in the standard, and will become mandatory on 31 March 2025.

There are no other PCI DSS versions, so you must ensure you are compliant with PCI DSS v4.0.

Why is this update to the standard necessary?

The ways that we use card payments are continuously evolving, especially when it comes to contactless payments, cardless payments, and online payments. As quickly as payment technology changes, so too does the technology and approaches used in malicious attacks which target organisations that accept card payments and store customer card data.

Since PCI DSS v3.2.1. was released in 2018, the payment card security environment (and threats to payment card data) has evolved drastically, so v4.0 takes these changes into consideration. It aims to continue to meet the security needs of the payment industry, promote security as a continuous process, add flexibility, support innovation, and enhance validation methods. This means your organisation can maintain the best processes possible to keep your sensitive payment data secure in the long term.

Is the assessment process going to change with the new standard?

The assessment process does not change for validation; however, your organisation may now use the Customised Approach where you can substitute your own controls to meet the objective of any PCI DSS requirement, as long as you can demonstrate that it does meet those requirements. You can do this by:

  • Defining the control
  • Explaining how it operates and is maintained
  • Describing how it meets the objective of the original PCI DSS requirement.

Your organisation must also describe and document how you have tested that the control, met the objective, and shown evidence of the results of the testing. You must also complete a risk assessment for every Customised Approach requirement.

Are you ready for PCI DSS v4.0?

Maybe you’ve already attested to v4.0, or maybe that’s a bridge you’re yet to cross. Regardless of where you are on your journey, our PCI DSS and information security experts are here to help.

Talk to us about how we can help you achieve compliance or support with your Business as Usual PCI DSS activities.