Compensating Control

Compensating Control may be considered if PCI DSS requirement cannot meet a requirement due to legitimate Technical or Documented Business constraints.

Compensating Control must satisfy following:
1) Meet the intent and rigor of the original requirement.
2) Provide a similar level of defence as the original
3) Be "Above and Beyond" other PCI DSS Requirement.

What is above and beyong?
- If existing PCI DSS requirement CANNOT be considered as compensating Control if they are already required by the item under review.

- Existing PCI DSS requirement MAY be considered as compensating control if they are required for another area, but not required for the item under review.

- Existing PCI DSS requirement may be conbined with new control to become a compensating control.

Compensating Control Worksheet:
1) Constraints
2) Objective
3) Identified Risk
4) Defination of Compensating Controls
5) Validation of Compensating Controls
6) Maintainance




A. Be "above and beyond" other PCI DSS requirement (i.e., not simply in compliance with other requirements)
B. Sufficiently offset the risk that the original PCI DSS requirement was designed to defend against
C. Meet the intent and rigor of the original PCI requirement
​D. Be commensurate with additional risk imposed by not adhering to original requirement