The new version of the Payment Card Industry Data Security Industry or PCI DSS was released a while back to much fanfare. The new version is full of major and minor changes in the 12 requirements ( minimum password length no longer 7 ! ) but the one that has caught the most attention is the new customized approach. This new way of meeting the requirements will have a major impact on the compliance of both on-prem and cloud environments hence the reason I am covering it in detail today.
The new version was developed after a lot of collaboration / feedback within the industry and one of the major goals of the new version is to “Add flexibility for different methodologies“.
The customized approach falls under this goal and is defined as
“a new method to implement and validate PCI DSS requirements, provides another option for organizations using innovative methods to achieve security objectives”
Why the customized approach is a game changer in PCI DSS
For the past decade or so Qualified Security Assessors ( or PCI auditors if you are not aware ) would audit organizations against the new standard and check where they were found lacking. When an organization could not meet a particular requirement ( say encryption of cardholder data ) then a compensating control was defined and put in place. This was short term and required to be reviewed on a regular basis regardless of how good the controls were !
The new Customized Approach allows auditors to validate a security control and look at the intent behind its implementation. If it is addressing the risk then it can be considered satisfactory even if it does not directly meet the PCI requirements. This is a great improvement over compensating controls which were temporary and considered a stop-gap arrangement.
As per the PCI council
“Unlike compensating controls, customized validation will not require a business or technical justification for meeting the requirements using alternative methods, as the requirements will now be outcome-based.”
This is great news for companies with state of the art technology controls and mature risk management processes who do not want to follow a textbook approach to PCI DSS.
The new audit approach
Simply put, going forward, the new version of PCI DSS will give companies two options :
- Defined Approach which is the traditional way of meeting the 12 PCI DSS requirements which companies have been doing since the start. You can continue this route which most companies will likely do
- Customized approach which is the newer, more flexible way of doing things. Companies in the cloud and with mature risk management controls can look at how they can meet the intent of the requirement.
The PCI report can contain both approaches giving both auditors and companies a great deal of flexibility in implementing PCI DSS
Do not underestimate the effort !
While the new PCI DSS version seems to be a great leap forward and very flexible in its risk-first approach, companies should not underestimate the effort that will be involved.
I have jotted down a few of the key steps that companies will need to take in order to be ready:
- Engage with the QSA early on for the areas where you plan to use the customized approach as not all PCI requirements are eligible ! QSAs will be trained in this new approach and can provide you valuable advice on whether a customized approach is acceptable or not early on. Do not wait for the end of the audit to engage your QSA.
- Update your risk assessment skills ASAP. The new approach requires detailed documentation and you will need to convince the QSA via a targeted risk analysis. Do not copy paste previous risk assessments ( yes everyone knows people do that ) and do a fresh one from the ground up. if the below form looks like french to you then I suggest investing in some
- Start gathering evidence early on. The controls you put in place for the customized approach will need to be proven via documentation, above mentioned risk analysis, settings, system logs etc. Your QSA will be the best source to guide you on what evidence will be acceptable
Start getting ready now for customized approach
The customized approach is going to be great fit for cloud environments which lend themselves to new and innovate approaches for mitigating risk. However it is not easier than the defined approach by any means with an increased burden of documentation and risk analysis. Start getting ready now when it comes to doing targeted risks analysis of your environment and where you plan on implementing this approach. This will save a lot of time in the long run
As per the below diagram , you still have two years but 24 months is not much in the grand scheme of things; taking into account the time that training, documentation, evidence gathering etc. is going to take
Do not over overboard in your first assessment and slowly phase over to the new approach. This way you will not get overwhelmed by the new way of doing things and find the entire process much more enjoyable. Good luck in your PCI DSS journey !