Which of the following statements is true?

An entity wants to use the Customized Approach. They are unsure how to complete the Controls Matrix or TRA. During the assessment, you spend time completing the Controls Matrix and the TRA, while also ensuring that the customized control is implemented securely.

Which of the following statements is true?

A. You can assess the customized control, but another assessor must verify that you completed the TRA correctly.

B. You can assess the customized control and verify that the customized approach was correctly followed, but you must document this in the ROC.

C. You must document the work on the customized control in the ROC, but you can not assess the control or the documentation.

D. Assessors are not allowed to assist an entity with the completion of the Controls Matrix or the TRA.

Answer: B

Explanation:

Customized Approach Overview:

Under PCI DSS v4.0, entities can use a Customized Approach to meet requirements by implementing

controls tailored to their environment. This allows flexibility while still achieving the intent of the

security requirement.

Role of Assessors:

Assessors (QSAs) are responsible for evaluating both the implementation of customized controls and ensuring these controls fulfill the security objectives of the PCI DSS requirements.

QSAs must document the evaluation, evidence reviewed, and results in the Report on Compliance (ROC).

Controls Matrix and Targeted Risk Analysis (TRA):

The Controls Matrix and TRA are key components of the Customized Approach. QSAs assist in verifying the accuracy and completeness of these tools during assessments. Documenting in the ROC:

The ROC must include a narrative explaining the assessor’s findings regarding the customized control,

validation methods, and any evidence collected.

Relevant PCI DSS v4.0 Guidance:

Appendix D and E of the PCI DSS v4.0 ROC Template emphasize that QSAs can evaluate and confirm adherence to the Customized Approach provided this is documented comprehensively in the ROC.