​ Customized Approach Overview:

Under PCI DSS v4.0, entities can use a Customized Approach to meet requirements by implementing

controls tailored to their environment. This allows flexibility while still achieving the intent of the

security requirement.

​ Role of Assessors:

Assessors (QSAs) are responsible for evaluating both the implementation of customized controls and

ensuring these controls fulfill the security objectives of the PCI DSS requirements​​.

QSAs must document the evaluation, evidence reviewed, and results in the Report on Compliance

(ROC).

​ Controls Matrix and Targeted Risk Analysis (TRA):

The Controls Matrix and TRA are key components of the Customized Approach. QSAs assist in

verifying the accuracy and completeness of these tools during assessments​​.

​ Documenting in the ROC:

The ROC must include a narrative explaining the assessor’s findings regarding the customized control,

validation methods, and any evidence collected​.

​ Relevant PCI DSS v4.0 Guidance:

Appendix D and E of the PCI DSS v4.0 ROC Template emphasize that QSAs can evaluate and confirm

adherence to the Customized Approach provided this is documented comprehensively in the ROC​.