Home · Synthesis · cl-pci-customised-approach

PCI DSS v4.0.1 customised approach with targeted risk analysis

CSA CCM v4 DPDPA NIST CSF 2.0 PCI DSS SOC 2 ISO 27001

Primary statement

PCI DSS v4.0.1 customised approach — PCI 3.5.1.1 (keyed hash with full PAN coverage) example. Customised approach allows entities to design their own controls meeting the objective via documented Targeted Risk Analysis (TRA — PCI 12.3.x). SOC 2 + NIST CSF + CSA + ISO 27001 risk frameworks support the underlying risk management.

Audit-fatigue payoff

A unified TRA + customised approach methodology — anchored in PCI 12.3 + SOC 2 CC3 + NIST GV.RM-01 + CSA GRC-02 — satisfies customised approach + targeted risk analysis requirements. The TRA is the audit-defensible artifact justifying customised controls.

Strictness matrix

Scope

Scope: PCI DSS requirements where customised approach is permitted (most defined-approach requirements). Each customised control requires TRA. Ceiling source: pci_dss:PCI.3.5.1.1 Rationale: PCI DSS 3.5.1.1 example illustrates the customised-approach scope.

Threshold

Threshold for customised approach: documented TRA + risk-based justification + control design meeting the requirement objective + testing approach + control effectiveness evidence. Ceiling source: pci_dss:PCI.3.5.1.1 Rationale: PCI 3.5.1.1 specifies the binary customised-approach threshold.

Method

Method: TRA per customised control + risk-based design + control implementation + testing per QSA review + ongoing monitoring + integration with SOC 2 CC3.1 risk objectives + NIST GV.RM-01 risk management. Ceiling source: pci_dss:PCI.3.5.1.1 Rationale: PCI 3.5.1.1 + SOC 2 CC3.1 + NIST GV.RM-01 combined form the customised-approach method.

Frequency

TRA refresh: annual + on material change. Customised control effectiveness review: annual minimum. Ceiling source: pci_dss:PCI.3.5.1.1 Rationale: Annual TRA review is the audit-defensible cadence.

Evidence

Evidence: TRA per customised control + control design document + testing evidence + ongoing monitoring records + QSA review of customised approach. Ceiling source: pci_dss:PCI.3.5.1.1 Rationale: PCI 3.5.1.1 evidence with TRA is uniquely strict.

Auditor test pattern

Step 1: Inspect TRA per customised control. Step 2: Verify risk-based justification. Step 3: Inspect control design and testing evidence. Step 4: Verify QSA acceptance of customised approach. Step 5: Verify annual TRA refresh.

Common findings

Common findings: (1) Customised approach used without TRA; (2) TRA generic, not control-specific; (3) Annual TRA refresh skipped; (4) Customised control monitoring absent.