Indepth about version 4.0
One major difference between these versions is that now v4.0 allows a business to use a combination of approaches for how they handle security requirements. Specifically, PCI DSS v4.0 offers two approaches: the Defined Approach and the Customized Approach.
1. The Defined Approach
The Defined Approach is the traditional approach to PCI DSS compliance. Under this approach, businesses must implement security controls that meet the specific requirements of the PCI DSS standard. Assessors will then test these controls to verify that they are effective. If any exceptions are found, businesses can use compensating controls to mitigate the risk.
2. The Customized Approach
The Customized Approach is a new approach to PCI DSS compliance that is more flexible, but also a bit more complicated. Under this approach, businesses can implement controls that meet the stated objective of each PCI DSS requirement, even if they do not strictly follow the defined requirement.
However, businesses must be able to demonstrate to assessors that their customized controls are effective in meeting the objective of the requirement.