WithPCI Logo
WithPCI.com

12.3.2 A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include:

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

12.3.2 A targeted risk analysis is performed for each PCI DSS requirement that the entity meets with the customized approach, to include:

  • Documented evidence detailing each element specified in Appendix D: Customized Approach (including, at a minimum, a controls matrix and risk analysis).
  • Approval of documented evidence by senior management.
  • Performance of the targeted analysis of risk at least once every 12 months.

Customized Approach Objective

This requirement is part of the customized approach and must be met for those using the customized approach.

Applicability Notes

This requirement only applies to entities using a Customized Approach.

Defined Approach Testing Procedures

12.3.2 Examine the documented targeted risk-analysis for each PCI DSS requirement that the entity meets with the customized approach to verify that documentation for each requirement exists and is in accordance with all elements specified in this requirement.

Purpose

A risk analysis following a repeatable and robust methodology enables an entity to meet the customized approach objective.

Definitions

The customized approach to meeting a PCI DSS requirement allows entities to define the controls used to meet a given requirement's stated Customized Approach Objective in a way that does not strictly follow the defined requirement. These controls are expected to at least meet or exceed the security provided by the defined requirement and require extensive documentation by the entity using the customized approach.

Further Information

See Appendix D: Customized Approach for instructions on how to document the required evidence for the customized approach.

See PCI DSS v4.x: Sample Templates to Support Customized Approach on the PCI SSC website for templates that entities may use to document their customized controls. Note that while use of the templates is optional, the information specified within each template must be documented and provided to each entity's assessor.

purpose

Ensure critical technology usage policies are communicated and acknowledged.

compliance strategies

  • Policy distribution
  • Acknowledgment tracking

typical policies

  • Technology Usage Acknowledgment Procedure

common pitfalls

  • No evidence of acknowledgment
  • Untracked distribution

type

Process Control

difficulty

Low

key risks

  • Uninformed technology users

recommendations

  • Automate acknowledgment with LMS

Eligible SAQ

  • SAQ-D MERCHANT

Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy