The customized approach is a new option in PCI DSS v4.0 that allows entities to use alternate security controls or new technologies that meet the PCI DSS Customized Approach Objective for a requirement1. The customized approach requires the entity to complete and document a Controls Matrix and a Targeted Risk Analysis (TRA) for each customized control, and to provide this documentation to the assessor2. The assessor’s role is to review the documentation, assess the customized control, and verify that the customized approach was correctly followed3. The assessor must also document the assessment of the customized control in the Report on Compliance (ROC), using the ROC Template provided by PCI SSC4. Therefore, the correct answer is option B.

The other options are not true regarding the role of the assessor in the customized approach. Option A is not true because the assessor does not need another assessor to verify the TRA, as the assessor is responsible for reviewing and validating the TRA as part of the assessment process3. Option C is not true because the assessor can and must assess the control and the documentation, as well as document the work on the customized control in the ROC34. Option D is not true because the assessor is allowed to assist the entity with the completion of the Controls Matrix or the TRA, as long as the assessor does not design, develop, or implement the customized control for the entity5. References:

PCI DSS v4.0: Is the Customized Approach Right For Your Organization?

PCI DSS v4.0: Roles and Responsibilities for the Customized Approach

PCI DSS v4.0 Report on Compliance Template

PCI DSS v4.0

PCI DSS v4.0: Customized Approach Explained