Compensating Controls

A lot of organizations are relying on numerous compensating controls to achieve their compliance with the PCI DSS.  For version 1.2 of the PCI DSS, compensating controls have two new requirements and these new requirements will have the potential to cause a lot of organizations to become non-compliant.  As a result, I expect to find the next year very painful for our new clients as we explain these new rules and they attempt to come up with the documentation to keep their compensating controls.

There are now six requirements to the Compensating Controls worksheet.  The original four:

  • The PCI DSS requirement that cannot be met;
  • The control objective(s) of the PCI DSS requirement;
  • The business reason(s) why the PCI DSS requirement cannot be met; and
  • The compensating control(s) that have been put into place to achieve the PCI DSS requirement.

In addition to the original four requirements, two more have been added.  Those requirements are:

  • Validation that the compensating controls are functioning as defined; and
  • How the organization maintains the compensating controls.

The easier of the two new requirements is how an organization maintains the compensating controls.  However, while it is the easier of the two from a discussion standpoint, the fact that an organization must be able to document its maintenance processes for controls could be problematic.  In most organizations, the change control process for the control environment is typically not documented.  As a result, most organizations will have to adopt their change control processes for other business issues and just apply it to changes to their control environment.

The other new requirement is the one that most organizations will struggle with, providing documentation that the controls they are using to compensate for their lack of meeting the PCI DSS requirement are functioning as designed.  While this sounds simple and straight forward, I can tell you from personal experience that a lot of the compensating controls that were documented under v1.1 of the PCI DSS cannot provide this sort of proof.  In addition, a lot of compensating control cannot undergo the scrutiny of testing required to determine that they are functioning as designed.

So, where is the problem?  An organization must prove that it walks the walk, not just talks the talk.  This is where the wheels typically come off the bus.  It is very easy to say that something is a control; it is another thing to be able to actually prove it.  Organizations will have to provide documentation in the form of completed checklists or other formal documents that proves that the control is not only being used but that if a control exception occurs, the exception is addressed.  In addition, the QSA will also have to observe these processes at work so that they can satisfy themselves that the control is functioning.

I am not saying that compensating controls are a bad thing.  There are instances where organizations have no other choice.  The most common issue in this category is the database that takes more than 9 to 15 months to re-encrypt in order to change encryption keys.

In my experience, though, there are even more organizations that are using compensating controls because it is an easy out.  One of the most common reasons is that they need to avoid a large expenditure.  There are also those organizations where meeting the requirement will take a cultural change that management cannot step up to make.  There are also those organizations that just despise being told what to do and are just digging in their heels.  And, finally, there are those organizations that just plain do not want to have to get off their rear and do something.  For organizations like this, the jury rigging and hurdles they go through to make a compensating control work is mind boggling and, more often than not, costs more in time and resources than just meeting the original requirement.

If your organization is relying on compensating controls to be compliant with the PCI DSS, then you will want to make sure that you absolutely have no other alternative than a compensating control.  You should do an analysis of what it costs to maintain and comply with the compensating control versus implementing the PCI DSS requirement as written.  I would say that in about 85%+ of the cases, you will find that meeting the original requirement can be achieved easier and cheaper than using the compensating control.


3 Responses to “Compensating Controls”

  1. February 9, 2010 at 1:28 PM

    I wrote an article about Compensating Controls that you can find under the Media section of my blog. There is an expanded version of it in the blog, as well as in the book I just published with Dr. Anton Chuvakin on PCI!

  2. December 22, 2009 at 9:38 AM

    I agree with most of your conclusions regarding compensating controls, however, I would point out that while cost is typically a big a factor which drives a compensating control it is not necessarily that they simply do not want to spend the money. A great example is encryption. Companies are spending millions on encryption and key management schemes which do not provide any real deterrent yet are compliant because encryption applies to the mythical idea of “data at rest”. Unlike PIN encryption which works(yet still subject to attack), cardholder data encryption is flawed because there is always a username and password(application, user, DBA) with access to the data. Thus the data is only protected by a username and password which in my humble opinion is far easier to get a hold of (or change) then any key. A client of mine summed it up nicely. “For the cost of this encryption solution, I can hire 2 highly qualified security professionals or retain the people I have with a compensating control rather than implement a transparent encryption solution which is only protecting data when the machine is turned off”. In other words, the money can be better spent elsewhere and significantly lower their risk than strict PCI compliance. Given that I make my living on the PCI standard, I am very reluctant to bash the standard or agree with the “Compliance != security crowd” but compensating controls remain an important tool when used properly to meet the intent of the standard and reduce a company’s risk.

  3. 3 Lyta April
    November 20, 2009 at 2:21 PM

    Where can I find some good information on compensating controls? We are a small business and are trying to do everything right, but we are dependent on software vendors to do their part. For example, our email server does not pass compliance due to a problem that was first reported to Lotus in 2002. I have other examples as well. How do I go about assuring the processor that I am doing all I can, but that I am at the mercy of others?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


November 2009
« Oct   Dec »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,981 other followers


%d bloggers like this: