A lot of organizations are relying on numerous compensating controls to achieve their compliance with the PCI DSS. For version 1.2 of the PCI DSS, compensating controls have two new requirements and these new requirements will have the potential to cause a lot of organizations to become non-compliant. As a result, I expect to find the next year very painful for our new clients as we explain these new rules and they attempt to come up with the documentation to keep their compensating controls.
There are now six requirements to the Compensating Controls worksheet. The original four:
- The PCI DSS requirement that cannot be met;
- The control objective(s) of the PCI DSS requirement;
- The business reason(s) why the PCI DSS requirement cannot be met; and
- The compensating control(s) that have been put into place to achieve the PCI DSS requirement.
In addition to the original four requirements, two more have been added. Those requirements are:
- Validation that the compensating controls are functioning as defined; and
- How the organization maintains the compensating controls.
The easier of the two new requirements is how an organization maintains the compensating controls. However, while it is the easier of the two from a discussion standpoint, the fact that an organization must be able to document its maintenance processes for controls could be problematic. In most organizations, the change control process for the control environment is typically not documented. As a result, most organizations will have to adopt their change control processes for other business issues and just apply it to changes to their control environment.
The other new requirement is the one that most organizations will struggle with, providing documentation that the controls they are using to compensate for their lack of meeting the PCI DSS requirement are functioning as designed. While this sounds simple and straight forward, I can tell you from personal experience that a lot of the compensating controls that were documented under v1.1 of the PCI DSS cannot provide this sort of proof. In addition, a lot of compensating control cannot undergo the scrutiny of testing required to determine that they are functioning as designed.
So, where is the problem? An organization must prove that it walks the walk, not just talks the talk. This is where the wheels typically come off the bus. It is very easy to say that something is a control; it is another thing to be able to actually prove it. Organizations will have to provide documentation in the form of completed checklists or other formal documents that proves that the control is not only being used but that if a control exception occurs, the exception is addressed. In addition, the QSA will also have to observe these processes at work so that they can satisfy themselves that the control is functioning.
I am not saying that compensating controls are a bad thing. There are instances where organizations have no other choice. The most common issue in this category is the database that takes more than 9 to 15 months to re-encrypt in order to change encryption keys.
In my experience, though, there are even more organizations that are using compensating controls because it is an easy out. One of the most common reasons is that they need to avoid a large expenditure. There are also those organizations where meeting the requirement will take a cultural change that management cannot step up to make. There are also those organizations that just despise being told what to do and are just digging in their heels. And, finally, there are those organizations that just plain do not want to have to get off their rear and do something. For organizations like this, the jury rigging and hurdles they go through to make a compensating control work is mind boggling and, more often than not, costs more in time and resources than just meeting the original requirement.
If your organization is relying on compensating controls to be compliant with the PCI DSS, then you will want to make sure that you absolutely have no other alternative than a compensating control. You should do an analysis of what it costs to maintain and comply with the compensating control versus implementing the PCI DSS requirement as written. I would say that in about 85%+ of the cases, you will find that meeting the original requirement can be achieved easier and cheaper than using the compensating control.