A Detailed Overview Of PCI DSS Compensating Controls

If your business handles, stores, transmits, manages, or processes customers’ payment card information, it must comply with PCI DSS (Payment Card Industry Data Security Standard). This is an information security standard that outlines measures and controls for organizations to protect sensitive card details while processing transactions. 

Implementing stringent compliance is not a piece of cake and organizations often have a hard time meeting all requirements. This is when PCI DSS compensating controls apply. 

In this article, we discuss what compensating controls are, what PCI DSS says about them, and tips for completing the compensating control worksheet. 

What are PCI DSS compensating controls?

PCI DSS compensating controls give organizations an alternative to security requirements that cannot be met due to technical issues or business constraints. PCI DSS offers some flexibility or alternate options to mitigate the risk described in the requirement by allowing organizations to deploy compensating controls.

Compensating controls are valid only when reviewed by an assessor. The effectiveness of the control depends on factors such as

• The environment in which it is deployed
• The surrounding security controls
• The configuration of the control

Remember, PCI compensating controls are not a shortcut to gaining compliance. When you don’t implement a control, you should have sufficient justification. While these can act as temporary solutions, you should work to achieve the originally recommended compliance. 

What does PCI DSS say about compensating controls?

As per the PCI DSS Appendix B, if you implement a compensating control, ensure that:

• It meets the intent and rigor of the original requirements.
• Provides the same level of defense as the original requirement.
• Goes above and beyond other requirements
• You adequately mitigate risks that exist due to non-adherence to the requirements

Let us understand what each means.

Meet the intent and rigor of the original requirement

The compensating control you implement should provide the same level of protection as the control it seeks to replace. To break this down, think of the PCI DSS requirement to encrypt cardholder data to prevent malicious actors from accessing it. Now, what if your organization does not have a system or process in place to encrypt customer card data? To compensate, you should have some other system in place to help you avoid data theft such as MAC address filtering or MFA from within your internal network.

Provide the same level of defense as the original requirement 

This may sound similar to the first one, but a subtle difference lies in the application. It focuses on the quality of the alternative measure. Let’s say the original control could mitigate about 80 percent of high-risk threats. Then it is not enough to implement a control that just mitigates threats, but it should mitigate at least 80 percent of threats.

If it fails to meet that level of effectiveness, one can conclude that the compensating control fails to adhere to the compliance requirement.

Go above and beyond other requirements

The idea behind implementing a compensating control is not to create a temporary patch but to provide robust security. You should not look at it as a way out of implementing rigorous control or as an easier alternative. To ensure that organizations take security seriously, PCI DSS requires you to keep the following in mind to address the “above and beyond” requirement:

1. Existing requirements will not be considered as PCI compensating controls if it is required for the items to be reviewed. 

To understand this better, let’s take the eighth requirement; assign a unique user ID to every person with computer access. Here, you should implement MFA (Multi-Factor Authentication) to prevent unauthorized access. You cannot use strong passwords to compensate for the lack of MFA, as MFA is already a requirement and does not mitigate the risks associated with a lack of MFA. 

2. An existing requirement can be considered as compensating control if it is required for another control but not for an item under review. In other words, it should meet the intent of the requirement in review. 

To understand this better, let’s take the example of MFA, which is a requirement for access to remote devices. However, if MFA is used as a compensating control to address the issue of password encryption, it does not qualify as a valid control. MFA will be considered as an acceptable control only in cases where it meets the intent of the original requirement and addresses the associated risk and is deployed correctly in a secure environment. 

3. An existing requirement may be combined with a new one to be a compensating control. For example, let’s say your organization is not able to encrypt cardholder data to make it unreadable as per requirement 3.4. In this case, you can leverage other compensating controls to address this gap using devices, software, and controls. You could implement:

• Internal network segmentation
• IP or MAC address filtering 
• MFA from within the internal network

Be commensurate with risks imposed due to non-adherence

When you don’t implement a particular control, it creates a security gap by not addressing the risk for which it was intended. And when you attempt to replace the suggested security controls, you should ensure that it is sufficient to meet the gap or risks created due to non-adherence. 

One way to do this is by assessing the risk of the original requirements and comparing the results with that of the compensated controls. Remember, the PCI DSS regulations are created by industry experts who know what works and what doesn’t. So, the smart way to assure compliance would be to do things the recommended way and only devise your own solutions when nothing else seems to work.

Also check out: PCI DSS certification guide

PCI DSS compensating controls worksheet

The PCI compensating control worksheet is meant for organizations that have undergone risk analysis. They must have legitimate business constraints to implement the original controls to achieve compliance. It is your organization’s responsibility to fill this document. Once you have completed it, a Qualified Security Assessor (QSA) can suggest improvements.

Here are a few tips when filling this worksheet:

• Do not use poor or weak arguments in your justifications. For instance, businesses often state that they simply don’t want to use controls or that it was difficult to implement. While these might sound reasonable to you, in reality, it is not a smart approach to security. Reasons like budget constraints, the time limit for implementing, or lack of application facility to run it are better justifications.

• Many organizations often implement compensating controls but fail to document how they plan to keep them effective and functional. Documenting helps you gain insight into possible risks and where your control may not be functional. You can set timeframes to remediate control test failure.

• Your compensating controls, processes, and systems should be existing and already functional. For example, you cannot make future plans and statements like will do, will implement, has to be reviewed, yet to be added, and so on. Planning to implement control is not the same as an existing one. The compensating worksheet is not your ticket out of compliance, so ensure that everything mentioned is already up and running. 

The worksheet for compensating controls in PCI is available in Appendix C.

	Information Required	Explanation
1.      Constraints	List constraints precluding compliance with the original requirement.
2.      Objective	Define the objective of the original control; identify the objective met by the compensating control.
3.      Identified Risk	Identify any additional risk posed by the lack of the original control.
4.      Definition of Compensating Controls	Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
5.      Validation of Compensating Controls	Define how the compensating controls were validated and tested.
6.      Maintenance	Define process and controls in place to maintain compensating controls.

If any of the requirements were not applicable, you must explain why it was not. Download the worksheet below and use it to explain why it does not apply to your organization.

Conclusion

The PCI DSS compliance process is complex and requires extensive work and documentation. Automating your PCI DSS compliance process is an effective way to reduce the time, cost, and effort involved, without compromising on your compliance posture. 

Using PCI DSS compliance automation solutions such as Sprinto automates repeated tasks, eliminates the chance of risks, and continuously monitors your environment to ensure you are compliant all the time. Sprinto’s In-app staff security training, integrated risk assessments, and trust center add to the benefits. 

Book a demo with us to know how we can make your PCI DSS compliance journey simple and hassle-free. 

FAQs 

What are examples of compensating controls?

Compensating controls seek to build an alternative solution around a required control that your organization cannot provide. For example, if you are unable to encrypt cardholder data, then ensure that controls such as internal network segmentation and IP address filtering is implemented. 

How many control objectives are there in PCI DSS?

There are 12 requirements and 6 control objectives in PCI DSS. These requirements fall within a control objective. The six control objectives are:

• Build and maintain a secure network and systems
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy