Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
PCI DSS 4.0.1 introduces the "customized approach" for meeting requirements, allowing organizations to implement alternative controls if they meet the intent and rigor of the standard. This document provides guidance for documenting, justifying, and validating customized controls in Azure Kubernetes Service (AKS) environments.
When to use the customized approach
The customized approach is appropriate when:
- When standard controls aren't feasible due to technical or business constraints.
- When leveraging cloud-native or container-specific security features that differ from traditional controls.
Documentation requirements
- Clearly describe the alternative control and how it meets the intent of the PCI DSS requirement.
- Provide a risk analysis and justification for the alternative control.
- Include validation and testing procedures.
Example template
| Requirement | Standard Control | Customized Control | Rationale | Validation/Test |
|---|---|---|---|---|
| MFA for admin access | Traditional MFA | Azure AD Conditional Access with FIDO2 | Stronger assurance, cloud-native | Review policy, test login |
Integrated AKS security context
You should implement the customized approach as part of a broader security strategy that includes:
- Security policies for policy and governance.
- Identity and access management for identity and access management.
- Monitoring and logging for monitoring and alerting.
For the latest AKS security features, see the Azure Kubernetes Service (AKS) documentation.
Next steps
Review the complete mapping of PCI DSS requirements to AKS implementations and controls.
Related resources
For more information, review the official PCI DSS 4.0.1 documentation.