What Is (and Isn't) a Compensating Control?First introduced in PCI DSS 1.0, compensating controls are alternate measures that organizations can use to fulfill a compliance standard. Those controls must satisfy four criteria:
- Meet the intent and rigor of the original stated requirement;
- Provide a similar level of defense as the original stated requirement;
- Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
- Be commensurate with the additional risk imposed by not adhering to the original stated requirement.
"Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another. There is no guarantee a compensating control that works today will work one year from now, and the evolution of the standard itself could render a previous control invalid."Companies with an interest in compensating controls need to understand that Qualified Security Assessors (QSAs) will ask for documentation of their business constraints during a security assessment. The documented constraints must be legitimate. In other words, an organization can't cite a qualified professional going on vacation as a constraint. Companies must also submit documentation demonstrating that they performed a risk analysis of the gap between the original measure and a proposed alternate measure. Performing such an analysis takes time and costs money – sometimes even more than what it would take to address the original issue or vulnerability. Only then can organizations move onto the next step: designing a compensating control.
Designing a Compensating ControlOrganizations have a lot of flexibility in creating alternate controls. After all, compensating controls can apply to nearly every PCI DSS requirement aside from permissible storage of sensitive authentication data after authorization. Let's look at some examples. Example #1: Segregation of Duties To prevent instances of fraud and error, some organizations are required to create an internal control that requires two or more staff complete separate parts of a task. Take an organization's financial department, for example. One employee might assume several accounting duties, while another employee might be responsible for just writing the checks. But as noted by Tech Target, it's not always possible for every organization to implement that control. That's especially true for companies with small staffs. In those instances, an organization might maintain and review logs and audit trails instead. Example #2: Encryption Some companies may lack the resources necessary to encrypt all electronic data. They might, therefore, turn to compensating controls to provide an equivalent level of security. Those include database security applications, e-mail encryption and other tools. Companies might decide, for instance, to switch their mid-tier UNIX operating systems from Discretionary Access Control (DAC) to Mandatory Access Control (MAC). Doing so could help render the data unreadable under PCI Requirement 3.4. But true to any compensating control, there's a cost. Dr. Chuvakin and Williams explain:
"Security professionals inside companies love the idea of converting to MAC as it allows us to have more granular control over the systems and their data. Practical ones know that converting an existing system requires so much effort that the costs outweigh the benefits."Example #3: Log Storage A retailer with 500 stores needs to log all individual accesses to cardholder data. They currently store their data in a large database. To meet the requirement, the company is considering purchasing lots of drive space to store its logs. Log management is important to breach detection and response, so the retailer shouldn't overlook that step. To figure out which cards are accessed through the data contained in the logs, the company doesn't necessarily need to invest in more storage space. It could instead log the actual query performed against the database during a batch process that runs daily.