Enhanced validation methods and procedures

Major changes introduced by PCI DSS v4.0 include enhanced validation methods and procedures, which evolved from a defined-only approach to include an objective-based customized approach. The PCI SSC announced the plan to introduce these enhanced validation methods and procedures into PCI DSS v4.0 at the 2019 Community Meetings.

The traditional defined approach is the familiar method where required security controls must be implemented when applicable. Requirements need to be met in a very specific manner and validated, sometimes regardless of the actual control outcome, such as whether or not the control system in question is actually effective and sustainable. This method for validating PCI DSS won’t be going away with v4.0. But the new customized approach allows organizations to use security methods that differ from traditional PCI DSS requirements, as long as they can demonstrate that they meet the intent of the relevant PCI DSS requirements and can validate its effectiveness.

Within a PCI DSS compliance assessment, organizations can choose either or both of the approaches on any of the key requirements. For example, PCI DSS v4.0 allows organizations to take a hybrid approach: They are allowed to meet some requirements by following the defined approach and other requirements by following the customized approach. Even within a single DSS requirement, the defined approach and customized approach can be split to meet different aspects of the requirement, as long as the organization meets the security objective of the requirement. However, be aware that some requirements explicitly cannot be met using the customized approach.

The defined approach

The defined implementation refers to the existing traditional approach to security control implementation and compliance validation that has existed since the introduction of the PCI Standard. The sets of requirements, controls and test procedures are fairly prescriptive. The PCI Standard includes descriptions of the controls that need to be in place and how the validation testing procedures should be met. 

The defined approach simply means that organizations follow the current requirements and familiar testing procedures as written in the PCI DSS. This approach remains valid. All organizations can continue to benefit from its prescriptive directions. Many organizations may not see any need to follow a customized approach to meet the control objectives.

The customized approach

The customized implementation allows organizations to follow a tailored process to custom-design security controls or adopt other controls outside of the familiar defined list of requirements. This new approach of validating PCI DSS controls focuses on an outcome-based approach, rather than a must-implement-based one. As mentioned earlier, all customized controls must still meet the stated security objective of the requirement.

Requirements and validation options in PCI DSS v4.0 focus on security objectives and support organizations using different methodologies to meet the intent of PCI DSS requirements. The PCI Standard includes objective statements that clearly identify the security outcomes that customized implementations must meet. The control intent statements specify and clarify what needs to be achieved, with greater flexibility in how the organization completes the desired security outcomes.

The customized approach’s greater flexibility allows for implementation of security solutions and technologies that don’t require waiting for the PCI DSS to catch up. Validation methods focus more on specific security outcomes, giving organizations the ability to prove the effectiveness of their approach. 

This alternate approach allows organizations to customize their approach and develop security controls by meeting several criteria:

• Determine the controls for a given security objective
• Submit detailed documentation to the QSA, outlining the approach to achieve compliance and demonstrate the effectiveness of the approach
• After the QSA reviews the evidence, the QSA makes a final decision on the effectiveness of the control, based on the analysis of the documentation submitted

The impact of a customized approach

Customizing security controls should be done in a very structured way that delivers measurable and predictable outcomes.

Organizations with mature control environments are more likely to embrace the new customized validation approach with confidence. They should also find it easier to rewrite how their systems can be tested to validate how they meet the latest PCI DSS requirements.

The new validation method will likely result, at least initially, in additional assessment work for organizations to develop and prepare documentation, control design, evaluations and risk assessment data that a QSA will need to evaluate. 

Although this new validation approach offers more flexibility in how the PCI DSS 12 Key Requirements can be met, there’s an explicit expectation that organizations ensure that each of their customized implementations of PCI DSS requirements meet respective control objectives and fulfill the intent.

As such, a customized approach requires adopting a robust method of designing and managing security controls and maintaining the control environment. It requires higher levels of process and capability maturity of control design, control risk evaluation, control implementation and monitoring.

Organizations need to collaborate with the QSA or Internal Security Assessor (ISA) to agree on and develop tailored testing procedures. Some organizations are likely to experience unintended consequences from the design and implementation of their customized controls. It’s critical to be aware of blind spots and seek out cause-andeffect relationships between controls, control systems and the control environment. You need to understand your capability and competency to design, implement, maintain and monitor customized controls, as well as your capacity to maintain all the requirements associated with your approach. The new alternative approach may not be for everyone. It’s best suited for organizations with fairly mature security, compliance and risk assessment processes in place. 

When choosing to follow the customized approach, organizations that don’t have a robust control environment backed by reasonably mature compliance management processes and capabilities are advised to improve their level of maturity and implement changes in small, incremental steps. This avoids making changes to substantial portions of the control environment, which can lead to unintended consequences— a range of good, mixed and bad unexpected outcomes. 

For an overview of capability maturity and metrics, revisit the Verizon 2019 Payment Security Report, pages 21 to 29.⁴⁴

The new alternative approach may not be for everyone. It’s best suited for organizations with fairly mature security, compliance and risk assessment processes in place.

⁴⁴ 2019 Payment Security Report, Verizon, 2019. https://enterprise.verizon.com/en-au/resources/reports/payment-security/.

⁴⁵ “First electric traffic signal installed,” History.com, Nov 2009, https://www.history.com/this-day-in-history/first-electric-traffic-signal-installed.

⁴⁶ David Noyce, “Traffic Signal LED Module Specification Workshop and Informational Report for Snow Conditions,” U.S. Department of Transportation, Federal Highway Administration, Jan 2014, https://ops.fhwa.dot.gov/publications/fhwahop13010/index.htm.

⁴⁷ “Airbag,” Wikipedia. https://en.wikipedia.org/wiki/Airbag.

⁴⁸ Antony Davies and James R. Harrigan, “The Cobra Effect: Lessons in Unintended Consequences,” Foundation for Economic Education, Sep 6, 2019, https://fee.org/articles/the-cobra-effect-lessons-in-unintended-consequences/.