What You Need to Know About the PCI DSS 4.0 Customized Approach

Valerie Hare, Content and Website Specialist at TokenEx
Nov 09, 2023

On March 31, 2024, PCI DSS 4.0 will officially replace version 3.2.1. It’s essential for merchants who need to maintain PCI compliance to start preparing for the transition to 4.0. The latest PCI standard includes various changes, from adding flexibility and additional methods to maintain payment security to offering an alternative to implement and validate PCI DSS requirements via the customized approach. In this article, we’ll discuss an overview of the customized approach, the differences between this and the defined approach, the advantages and disadvantages of this approach, and how to implement a customized method.

Quick Hits:

· PCI DSS 4.0 is the latest version, which unveiled a new approach for organizations to implement and validate PCI security objectives.

· Previous PCI DSS versions used the traditional or defined approach to implement and validate PCI security controls.

· The customized approach enables businesses to design, implement, and validate security controls tailored to their needs to meet PCI requirements.

· While the traditional approach is a straightforward option for organizations that need to be PCI compliant, the customized approach is ideal for mature, risk-based organizations looking for greater flexibility and tailoring for their security controls used to meet PCI DSS compliance.

What is the customized approach in PCI DSS 4.0?

PCI DSS 4.0 introduced the customized approach to increase flexibility for organizations using various methods to achieve security requirements. Key feedback from stakeholders led to the development of this method as merchants wanted more flexibility to choose innovative technologies to meet their security objectives. These technologies oftentimes do not work for the traditional approach for the implementation and validation of PCI DSS.

The customized approach provides an alternative to the traditional or defined approach. Version 4.0 allows organizations to design and implement their own controls to meet one or more PCI requirements.

What are the differences between the defined and customized approaches?

Before the customized approach with version 4.0, previous PCI DSS versions used the defined or traditional approach to implement and validate required security objectives. The defined approach outlines the compensating controls organizations can implement to meet PCI compliance.

Compensating controls are used when a business tries to implement controls required by the traditional approach, fails to comply, and needs additional controls to meet the same objective. For example, an organization may be unable to meet a specific control, such as installing and maintaining a firewall configuration to protect cardholder data. In this case, the organization could document the issue and use a compensating control in place of the control. The compensating control would need to offer the same level of security for cardholder data as the traditional control.

The traditional option is best suited for businesses that already have established controls in place to achieve PCI DSS requirements and have no issues with the current methods for implementing and validating those controls. This approach is also recommended for organizations that are new to PCI DSS and are seeking guidance on how to achieve compliance objectives.

As for the customized approach, this alternative to the defined option focuses on a PCI DSS requirement’s stated Customized Approach Objective. Organizations have more flexibility, so this approach is better suited for those who prefer to use other security objectives or new technologies to achieve the Customized Approach Objective.

For instance, PCI DSS 4.0 has stronger authentication requirements to help protect cardholder data and assist the payments industry as it transitions into operating on cloud platforms that demand more robust authentication standards for payments and access logins. One of these requirements is to use strong, unique passwords for accounts. A business could meet this goal by utilizing a passwordless authentication system that authenticates users via biometrics, a trusted device, or a smart card. A multi-factor authentication (MFA) system could achieve PCI DSS objectives without passwords, meaning the strong password requirement would not be necessary.

Why does PCI DSS 4.0 allow customized approaches?

The Payment Card Industry Security Standards Council (PCI SSC) established the customized approach to offer greater flexibility to organizations subject to PCI DSS compliance. The traditional method used in previous PCI versions includes requirements designed for any entity that accepts, processes, and transacts sensitive payment card data. A cookie-cutter approach means these security controls will not likely meet a business’s needs.

With version 4.0, the PCI SSC empowers organizations to choose the best compliance approach to meet their needs and leverage cutting-edge security solutions. Since regulation requirements can become outdated amidst the rapidly evolving payment security landscape, the customized

approach can prevent organizations from being restricted in implementing and validating security requirements.

What are the pros and cons of the PCI 4.0 customized approach?

After PCI DSS 4.0 introduced the customized approach, many organizations are likely wondering what the pros and cons are of using this method over the traditional version.

Customized approach pros:

· Flexibility to choose tailored security controls – With the defined approach, organizations can only use compensating controls to meet PCI DSS requirements. However, the customized approach allows organizations to design security controls specific to their unique business needs.

· Stay updated with the evolving security landscape – The payment security landscape will continue to adapt according to payment threats and businesses’ needs. The traditional approach’s security technologies will eventually become outdated as a result. Entities that leverage customized controls can utilize any security solution that meets PCI requirements, opening up the possibilities for a solution that meets their compliance and payments goals.

Customized approach cons:

· Not every organization qualifies – The customized approach is only available to businesses undergoing a Report on Compliance (ROC). ROC is a form all Level 1 Visa merchants must complete undergoing a PCI DSS audit. Organizations that meet PCI compliance via Self-Assessment Questionnaire (SAQs) do not qualify for the customized method. An SAQ is a tool for companies to validate PCI DSS compliance that qualifies for internal audits because they process fewer annual transactions and do not need to undergo a ROC.

· Extra overhead is required to implement – It is no surprise that the customized approach requires extra work compared to the standard defined control. A business that opts for the customized method must perform a risk assessment and show that their controls meet the appropriate PCI requirements. The risk assessment may also require the business to assess the impact of their customized controls on other controls.

· Increased audit costs and time - A Qualified Security Assessor (QSA) that reviews the defined controls can quickly determine whether a business meets a PCI requirement. Customized controls increase the audit costs and time for a QSA to conduct an audit. This approach must be designed and implemented in-house by a compliance team or achieved via a third-party provider or a different independent QSA. This rule is based on the PCI DSS’s independence requirement, which prevents a QSA conducting an audit from helping design and implement an organization’s customized controls.

How do businesses implement a customized approach?

Since the customized approach requires more time, money, and resources, it’s best suited for organizations with a mature, risk-based security program. The defined approach specifies what entities must do to meet PCI DSS compliance, which typically means the audit process is much quicker than the customized method.

With the customized method, entities must conduct a risk analysis and create a controls matrix for every customized control they implement. The PCI DSS 4.0 Appendix E includes templates for each control. The risk assessments must be reviewed and approved by an organization’s executive.

Once a customized control is implemented, the entity must conduct long-term monitoring and testing to verify the control’s effectiveness. An organization will also need to build metrics and set up the monitoring.

The customized approach also has requirements for the PCI DSS assessor. For example, QSAs must review each customized control, design and enact a test plan, and document the PCI DSS audit results. Organizations must provide the assessor with accurate, detailed information explaining how their controls work. These controls will tack on additional time and expenses related to an organization’s PCI audit.

Leverage Cloud Tokenization to Implement PCI DSS 4.0

While the latest PCI DSS approach offers additional flexibility for organizations, it’s not designed to be easier, quicker, or less expensive. The customized method is ideal for mature, risk-based organizations with robust risk management solutions undergoing an ROC and seeking tailored security controls to achieve compliance. Customized controls make the most sense for entities that will reap significant benefits from this more complex yet flexible method. Discover how a reputable cloud tokenization provider, such as TokenEx, can help you reduce the scope of your PCI audit by 90%. Our team of PCI ISA-certified experts can help with your PCI compliance challenges as you move to PCI DSS 4.0. Ready to experience fewer PCI headaches? Request a demo to learn how TokenEx can help your business.


About TokenEx:

TokenEx is a cloud tokenization and payment optimization provider committed to helping organizations safely and compliantly accept, store, and transmit sensitive data. With an initial focus on applying tokenization to the management of PCI compliance, TokenEx has expanded its product suite to enable the intelligent routing of payment data. Intelligent payment routing allows clients to optimize authorization rates and fraud management, leading to increased revenue and customer lifetime value. For more information, visit tokenex.com.


Contact us: Our TokenEx team is here to help you. Contact us to get started.



Valerie Hare, Content and Website Specialist at TokenEx

Blue-tinted background of a man watching a webinar

Host a Webinar with the MRC

Help the MRC community stay current on relevant fraud, payments, and law enforcement topics.
Submit a Request

Publish Your Document with the MRC

Feature your case studies, surveys, and whitepapers in the MRC Resource Center.
Submit Your Document

Related Resources

Cookies help us improve your website experience.
By using our website, you agree to our use of cookies.