With the new PCI DSS 4.0 updates now public, payment processors and security experts are examining some of the latest changes. One of the changes we’ve noticed (and one that will most likely make a massive difference for assessments) is the inclusion of customized approaches to PCI DSS assessment. This evolution of compensating controls in requirement assessment is set to alter how some companies think about their compliance obligations fundamentally.
What Is PCI DSS Assessment?
Businesses that handle private cardholder data must undergo regular assessments from third-party assessment organizations. Organizations storing, transmitting, and processing cardholder payment and authorization information must undergo regular assessments by certified PCI DSS assessors to show that their IT infrastructures meet the minimum standard for compliance. These assessments are aligned with the 12 requirements and how they are defined in the PCI DSS 4.0 documentation.
These assessors will evaluate businesses and their IT infrastructure on how they align with the 12 PCI DSS requirements:
- Install and maintain network security controls
- Apply security configurations to all system components
- Protect stored account data
- Protect cardholder data with strong cryptography during transmission over open, public networks
- Protect all systems and networks from malicious software
- Develop and maintain secure systems and software
- Restrict access to system components, and cardholder data by businesses need to know
- Identify users and authenticate access to system components
- Restrict physical access to cardholder data
- Log and monitor all access to system components and cardholder data
- Test security of systems and networks regularly
- Support information security with organizational policies and programs
With the unveiling of PCI DSS 4.0, there has been a slight shift regarding how companies can demonstrate their compliance with each requirement. Traditionally, there were well-defined capabilities that the company must show the assessor. Now, there is also a customized approach that they may take, depending on the circumstances.
What Is the Defined Approach for PCI DSS Validation?
The “defined” approach to PCI DSS validation under version 4.0 is much the same as it was under version 3.2.1–companies must provide evidence that they can meet the minimum expectation of each of the 12 PCI requirements.
Each requirement calls for one or more “defined approach requirements) that specify how the company can demonstrate their compliance with PCI DSS.
Some of these requirements include:
- Creating and maintaining an up-to-date data-flow diagram that shows how data moves across systems and networks (Requirement 1).
- Using strong cryptography and security protocols to protect primary account numbers (PAN) transmitted across public networks (Requirement 4).
- Patching system components and public-facing apps with the latest security updates. Critical patches are implemented within one month of issuance, and others are implemented based on guidance from the patching entity (Requirements 6).
- Managing visitor badges or ID, including deactivating or disposing of these items when visitors leave the premises (Requirement 9).
These requirements break down in a particular level of granularity, from maintaining documentation on roles and responsibilities to implementing specific technologies and practices.
More importantly, assessors must determine that these technologies, practices, and assets are properly implemented based on the company’s infrastructure, so some of the defined approach requirements will not stay identical from one organization to the next.
Sometimes, an organization may not meet a PCI requirement as spelled out in the defined approach. In these situations, the PCI Council will allow for what’s known as a “compensating control,” or alternative technology or practice that effectively mitigates the risks that the original requirement was meant to address.
Per PCI DSS guidelines, a compensating control must:
- Meet the intent and rigor of the original requirement
- Provide a similar level of defense as the original requirement such that it offsets the risk the original requirement defends against
- Be “above and beyond” other requirements–that is, you can’t simply trade out an unrelated control that doesn’t address the immediate concern
- Address any additional risks introduced by not implementing the original control
To implement a compensating control, the organization must provide a compelling business or technical justification.
What Is the Customized Approach for PCI DSS Validation?
With technology and security evolving rapidly and with many companies adopting and deploying highly idiosyncratic infrastructures to handle customer data, the use of well-defined but rigid approaches to assessment doesn’t provide much wiggle room. Additionally, since PCI DSS allows for control alternatives based on customer needs, it seems logical to provide a framework for flexible compliance.
PCI DSS 4.0 introduces the practice of “customized” compliance. This customized approach to assessment allows businesses to implement controls that align with their business and technical needs without strictly adhering to the letter of the law as described in the defined approach.
Like compensating controls, customized approaches to compliance are expected to meet or exceed the defined PCI DSS requirement controls. However, they also call for the assessed company to interrogate their infrastructure and understand how they meet requirements without implementing specific controls. Likewise, assessors and businesses will work closely to develop testing and assessment criteria based on these customized approaches.
Like defined approach requirements, each PCI requirement category includes a “customized approach objective” that states a broad goal that the custom control should address. Some of these include:
- Preventing unauthorized access to network traffic, resources, or devices (Requirement 1)
- Ensuring that system components cannot be compromised through insecure programs or services (Requirement 2)
- Obfuscating cleartext PANs on wireless networks (Requirement 4)
- Limiting access to PANs according to job function and least privilege approaches (Requirement 7).
These customized approaches allow companies with the right know-how to use internally planned and configured IT towards PCI DSS compliance without double-up with other technologies.
Note, however, that using the customized approach isn’t always the best thing to do. Smaller companies that don’t use tailored IT infrastructure and don’t need specialized security will benefit from the simplicity and clarity of defined approaches.
Conversely, larger enterprises with complex infrastructure and a firm grasp on their risk profile may find the customized approach superior for compliance and business goals.
Get Ready for PCI DSS 4.0 Requirements with Lazarus Alliance
Whether you’re preparing for a well-defined PCI audit or want to explore customized approaches to compliance, you can trust the experts at Lazarus Alliance. We have decades of experience in compliance, security analysis, and audit support.
Getting Ready for PCI DSS 4.0?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.