Skip to content
Auditor sitting at a desk holding compliance audit report.
PCI DSS version 4.0 tossed out compensating controls and introduced a more flexible structure with customized implementation options.

Out With The Old, In With The New

The release of PCI DSS 4.0 ushers in a new and improved set of standards for protecting customer payment data. These standards apply to any organization that accepts credit, debit, or prepaid cards under the American Express, Discover, MasterCard, Visa, and Japan Credit Bureau brands.


Customized Implementation Replaces Compensating Controls

The processes for implementing alternative security measures have been updated: Customized implementation has replaced compensating controls in v4.0. Compensating controls are an alternative solution or set of measures to satisfy a security or compliance requirement that is not possible for the organization to put in place in its original form. 

The updated customized implementations are much more accommodating: organizations no longer need to provide a justification for deviation from PCI regulations.  Customized implementations consider the intent of the objective and allow organizations to design their own security controls to meet it. The customized approach supports innovation in security practices, allowing entities greater flexibility to show how their current security controls meet PCI DSS objectives. Once an organization determines the security control for a given objective, it must provide full documentation to enable its Qualified Security Auditor (QSA) to make a final decision on the effectiveness of a control. 

If your organization plans on utilizing the customized implementation option, you need to be prepared to provide clear justification for using compensating controls. QSAs will at the time of assessment need to review the technology and methods used to determine whether or not the customized implementation meets or exceeds the goals of the original regulation. This requires that your organization maintain the RoC and SAQ documents and worksheets provided by PCI SSC.

More from the Blog

October 15, 2021

You Already Paid for Okta, Now Get The Most Out Of It With Twosense!

Every Okta SSO instance allows you to directly decide how many factors to challenge a user with, and how long the...
October 26, 2021

Integrate Twosense with OneLogin To Get The Most Out Of Your MFA!

Every OneLogin single sign-on instance allows you to directly decide how many factors to challenge users with, and how...
May 25, 2021

Twosense Raises $3 Million to Automate & Secure Logins with AI

We’re excited to announce that Twosense raised $3M to automate human effort, and human error, out of authentication...

Sign Up for our Blog

We will never share your email address with third parties.