The defined and customised approaches are something we must all deem necessary in thought when thinking about validating requirements. With the new introduction of version 4 into the realm we have so firmly built within PCI, defined, and customised approaches are now something we must all work with simultaneously to advance and maintain a far more secure environment. Conforming solely with the defined approach was something many associated with former methods of PCI version 3.2.1; however, the now inclusion of version 4 has introduced a new player into the ballpark with the customised approach.
The defined approach was something we all had grown so used to in PCI as it plainly and simply used requirements and testing procedures that were ‘defined’ within the standard. This meant an entity would implement security that had been stated in requirements for the assessors to then validate and approve. The defined approach followed/follows a very stable ‘black and white’ like methodology in its objectivity, and this has been useful in previous methods as it’s enabled a clearer way of understanding PCI. Through this methodology, some would suggest the defined approach led to a less risk-based approach to former PCI versions. Compensating controls don’t take a hit in any way either through the defined approach as they can still be used if needed or wanted and so many organisations would see nothing wrong with the approach. If anything, organisations with a smaller budget, or with a less mature security programme, would argue it still allows them to coincide with security protocols with no issue whatsoever. The traditional defined approach also worked candidly alongside the use of compensating controls that many opt into having. Compensating controls essentially acted as negotiating helpers for businesses that could not meet PCI DSS requirements objectively; compensating controls allowed a leeway, as long as they were validated and documented annually, for the defined method.
The Customised approach is where things begin to differ in how it is far more subjective and allows entities a more lenient view (method of applicability) for PCI DSS requirements. In how the defined approach maintains an objective stance, the customised approach ‘supports innovation in security practices’ by allowing ‘flexibility’ in how current security controls are shown. Although the customised approach is deemed to be more ‘risk based’, if used correctly, it does provide more benefits for businesses with slightly more mature risk management approaches as it opens doors for conversations to be had over certain controls, rather than being so black and white like in the defined approach. Along with this, the customised approach blends nicely with compensating controls. It has become very clear that the primary goal for PCI DSS v4.0 is to promote and increase flexibility within and for organisations to achieve security objectives and compensating controls, as mentioned previously, allow this element of leeway in situations where there is a process that cannot, or struggles to, be updated to meet a requirement. However, it is easy to mistakenly think the customised and compensated controls serve the same purpose, they do not. Compensating controls are used when an organisation has a constraint and is unable to meet a requirement; the customised approach is for entities that choose to meet a requirement differently. With this knowledge, it is important to note that compensating controls and the customised approach can be used for the same requirement, but compensating controls are not to be used in the customised approach objective.
As we move forward and make a conclusion of all the information that has been served; whether it might be a defined approach or a customized approach, compensating controls would still play their role as they used to. If we try to understand the basic difference between defined and customized approach, we may imagine a mountain climber, climbing the mountain on the carved path following what has been made and used for every trip. Then there’s another guy trying to make it up the hill following a different path, that is new and is as effective as the original one. Both make it up to the mountain top regardless of what approach they follow, the journey is about figuring out which approach suits you best.
