In 2006, the Payment Card Industry Security Standard Council launched a set of requirements to ensure that organizations that are processing, storing, or transmitting credit card information maintain a secure environment to help prevent card payment fraud.
PCI Data Security Standard, more commonly referred to as PCI DSS, has long been a significant hurdle for organizations that deal with credit card data. From implementing the appropriate tech to creating policies, to ensuring compliance with the security requirements associated with PCI DSS, PCI compliance is no easy feat.
Though PCI DSS is not the law, it does become a contractual requirement once partnering with any card company, so what does an organization do if they face technological, business, or even financial constraints that make it difficult to meet the requirements set forth by the PCI Council? Best practices would dictate introducing a compensating control.
What are Compensating Controls?
Compensating controls are an alternative solution or measures to a security or compliance requirement that is not possible for the organization to put in place in its original form. The PCI Council defines compensating controls as:
“Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.”
PCI DSS 3.2.1 states compensating controls must:
- Meet the intent and rigor of the original PCI DSS requirement;
- Provide a similar level of defense as the original PCI DSS requirement;
- Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
- Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
So, this simply means that any organization which cannot meet the requirements of PCI DSS must analyze and deploy similar levels of security measures that meet the specific standard requirements.
Implementing Alternate Security Control Measures
PCI SSC provides guidance on implementing alternative security control measures, or compensation controls, clearly within the PCI DSS 3.2.1 document. The Council clearly states:
“For each and every compensating control, the Compensating Controls Worksheet must be completed. Additionally, compensating control results should be documented in the ROC in the corresponding PCI DSS requirement section..”
In other words, prior to any compensating control being considered effective, your organization must complete an analysis to determine the risk associated with said controls and how you will mitigate any risks identified during the investigation. Documentation of the analysis is also essential to complete parts of the Report on Compliance (RoC) / Self-Assessment Questionnaire (SAQ) forms. These are two formal documents that are used to show that you are handling credit card information appropriately and are compliant with the PCI DSS, and will be required when Qualified Security Assessors conduct the annual audit.
Understanding PCI DSS Compensating Controls Criteria
For designing and implementing a compensating control the organization must fulfill the criteria above, but let's break those down into more easily understandable terms:
Meet the intent and rigor of the original PCI DSS requirement- To fulfill these criteria the compensating control must provide the same level of security measure as the original control requirement. An example of this would be the PCI DSS requirements to maintain a firewall to protect cardholder data and the organization not having one. They would then need to have a compensating control that provides the same level of security for cardholder data to protect it from attackers and unauthorized user access. The alternative measure must provide the same type of protection that would be provided by a firewall.
Provide a similar level of defense as the original PCI DSS requirement- While this criterion may sound redundant to the first one, this particular requirement is focused on the practical implication of the compensating control. If the original requirement is intended to provide a specific level of protection, and the compensating control is unable to match the protection of the initial requirement, the compensating control may be deemed ineffective by an auditor or quality assessor. Simply put, it is stating any compensating controls should be equally strong and effective as the original requirement.
Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements)- For an organization to fulfill this requirement, they are required to ensure that if a compensating control is implemented and poses an additional risk, the compensating control must account for this risk as well – or runs the risk of being deemed invalid or ineffective.
Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.- This control is often complicated, but in reality, it is quite simple. If your compensating control replaces one PCI requirement, it cannot be used as an alternate measure for any other PCI requirement. In other words, do not double-dip on compensating controls.
Once the compensating control is considered valid, organizations need to document its effectiveness in their environment. This documentation should include:
- Constraints List
- Identified Risks
- Definition of Compensating Controls
Where do Auditors Come From?
PCI DSS requires that all businesses with more than 6 million credit card transactions per year undergo a yearly PCI audit conducted by a “qualified auditor.” QSA companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company and have satisfied and continue to satisfy all QSA Requirements. Organizations are responsible for finding their own auditor in the correct location by selecting a QSA company in the PCI directory.
Getting Through a PCI Audit
If your organization plans on implementing compensating controls, you need to be prepared to provide clear justification for using compensating controls. Qualified Security Assessors (QSAs) will at the time of assessment need to review the business constraints you’re facing as well as assess the reasons for not being able to deploy the original PCI standard requirements. This requires that your organization maintain the RoC and SAQ documents and worksheets provided within PCI DSS 3.2.1.
Don't Roll The Dice with a QSA
Compensating controls are, in effect, a decision to debate a PCI auditor about whether your security controls are better than the PCI regulations as written. Being convincing in person is not enough, either; the auditor will look at the written RoC and SAQ documents you provide and decide whether or not the reasons listed are legitimate.
Whenever possible, play it safe and implement the controls as literally as you can. Additionally, keep in mind that while compensating controls are designed to assist organizations in their efforts to meet PCI DSS requirements, they are intended to be temporary. It is recommended that you replace these alternate measures with the original controls as quickly as possible.