Customized Approach Overview:
Under PCI DSS v4.0, entities can use a Customized Approach to meet requirements by implementing
controls tailored to their environment. This allows flexibility while still achieving the intent of the
security requirement.
Role of Assessors:
Assessors (QSAs) are responsible for evaluating both the implementation of customized controls and
ensuring these controls fulfill the security objectives of the PCI DSS requirements.
QSAs must document the evaluation, evidence reviewed, and results in the Report on Compliance
(ROC).
Controls Matrix and Targeted Risk Analysis (TRA):
The Controls Matrix and TRA are key components of the Customized Approach. QSAs assist in
verifying the accuracy and completeness of these tools during assessments.
Documenting in the ROC:
The ROC must include a narrative explaining the assessor’s findings regarding the customized control,
validation methods, and any evidence collected.
Relevant PCI DSS v4.0 Guidance:
Appendix D and E of the PCI DSS v4.0 ROC Template emphasize that QSAs can evaluate and confirm
adherence to the Customized Approach provided this is documented comprehensively in the ROC.
