Applied Trust recently achieved Payment Card Industry (PCI) Qualified Security Assesssor (QSA) status. Most companies that pursue this credential do so solely for the purpose of being able to perform QSA-certified audits as defined by the PCI standards council. The PCI standard requires that an organization is 100% compliant across all requirements. For requirements that cannot be exactly met, PCI allows the use of compensating controls. For a variety of reasons, we think that this area is an important aspect of our PCI compliance practice.
When real-world conditions present challenges to compliance with the PCI standard as written, we work with our clients to identify, document, and evaluate appropriate alternatives. These compensating controls are not a get out of jail free card – there are specific rules as to when and how they may be applied. Specifically:
Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.
Compensating controls must satisfy the following criteria:
