What are Compensating Controls in PCI DSS?

PCI DSS Compliance has always been a major concern for an organization that deals with payment card data. Adhering to the standards and complying with the security requirements of frameworks like PCI DSS is never easy. Most organizations face technological, business, or even financial constraints to implement security requirements as per the PCI Compliance Standards.

Such factors have a major impact on security decisions, which also at times lead to ruling out implementing certain measures. So, in a scenario where organizations cannot meet the outlined requirements, they can implement alternate control measures that offer a similar level of security as the original standard and address all the potential risks for which the PCI requirements were originally outlined. 

These alternate controls are termed as compensating controls in the PCI DSS Compliance. Elaborating more on this in the article we have explained the role of compensating controls in PCI DSS and what does the PCI Council say about the compensating controls. But, before getting into these details, let us first learn what are compensating controls.

What are compensating controls in PCI DSS?

Compensating controls are basically an alternate solution or measure to a security or compliance requirement that is not feasible for the organization to implement in its original form. PCI Council defines compensating controls as  “Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls”. Therefore, Compensating controls must:

• Meet the intent and rigor of the originally stated PCI DSS requirement
• Provide a similar level of defense as the original PCI DSS requirement
• Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
• Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.”

So, this simply means that any organization which cannot meet the requirements of PCI DSS must investigate and deploy similar levels of security measures that meet the specific standard requirements. 

What does the PCI Council say about compensating controls in PCI DSS?

While the Council provides the organization a scope for implementing alternate security control measures, but it clearly states that before the compensating controls are considered effective, the organization must ensure that any risk associated with the implementation of compensating controls must be identified, examined, and mitigated. Further, documentation of this analysis is essential as it forms a crucial part of the Report on Compliance (RoC) / Self-Assessment Questionnaire (SAQ) forms.

The documentation of this analysis will be included within your RoC / SAQ forms to achieve your Report on Compliance (ROC). The Compliance Report will include how to define compensating controls for any requirement that are in place according to the applicable PCI guidance and instructions. The documentation will be in the form of a validated Compensating Controls Worksheet as outlined in Appendix C in the PCI SSC document, Requirements, and Security Assessment Procedures.

Important consideration for compensating controls state by PCI Council

• Existing PCI DSS requirements cannot be considered as compensating controls or be used as a replacement for another PCI DSS requirement, especially when they are already required and in use for other security under review. For instance, PCI Compliance requires passwords for non-console administrative access to be encrypted to mitigate the risk of intercepting clear-text administrative passwords. In this scenario just to address the issue, the organization cannot use other PCI DSS password requirements to compensate for the lack of encrypted passwords. This is mainly because the other PCI Compliance password requirements may not mitigate the risk of interception of clear-text passwords. Besides the other password controls are already required and in use for other security under review.
• Existing PCI DSS requirements cannot be possibly considered as compensating controls if they do not meet the intent of the original standard requirement. So, for instance, two-factor authentication is a PCI DSS requirement for remote access. But, if the same Two-factor authentication is considered as a compensating control for encryption of password and non-console administrative access, then it does not count as valid. This is because the security measure does not support the intent of the original requirement encrypting of password to address the risk of intercepting clear-text administrative password.  Although two-factor authentication may be a requirement in another area of security, but since it does not serve the purpose of the encryption requirement they may not be considered compensating controls.
• Existing PCI DSS requirements may be combined with new controls to be a compensating control. So, for instance, if a company is unable to render cardholder data unreadable as per Requirement 3.4 by encryption, the organization can consider a compensating control that consists of a device or combination of devices, applications, and controls that address all of the following-
  •  Internal network segmentation
  • IP address or MAC address filtering
  • Two-factor authentication from within the internal network.
  • Full Disk Encryption.

Understanding PCI DSS criteria for compensatory security controls

For designing and implementing a Compensating control the organization must fulfill the following criteria-

• Meet the intent and rigor of the originally stated PCI DSS requirement– To fulfill these criteria the compensating control must provide the same level of security measure as the original control requirement. So for instance, if one of the PCI DSS requirements is to maintain a firewall to protect cardholder data and the organization does not have a firewall, then they need to have a compensating control that ensures cardholder data remains protected from attackers and unauthorized internet access. The compensating control must provide the same level of protection as provided by a firewall.
• Provide a similar level of defense as the original PCI DSS requirement- Although this may sound to be similar to the first criteria yet it is more about the practical implication of the compensating control. So suppose a compensating control is not able to minimize the level of risk better than the original control requirement. In that case, the compensating control may be considered or termed as ineffective in the independent assessments. The compensating controls should be equally strong and effective as the original requirement to address the risk.  
• Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements)– To fulfill these criteria the organization needs to ensure that the compensatory control addresses even the additional risks introduced due to non-fulfillment of original requirements. If the compensatory control results in introducing additional risk, then it may be termed as invalid or ineffective.
• Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.”– The compensatory control should not be an existing control requirement which is also used in another area to simply satisfy the given requirements without meeting the intent or purpose of the original control requirement. As mentioned in the earlier example two-factor authentication may be a PCI DSS requirement for remote access. But, if the same Two-factor authentication is considered as a compensating control for encryption of password and non-console administrative access, then it does not count as valid. For the reason being the security measure does not support the intent of the original requirement of encrypting a password and addresses the risk of intercepting a clear-text administrative password.

Use of Compensating Control to reduce the scope of PCI DSS Compliance

Many organizations believe that Compensating Controls are a way to avoid or reduce the scope of Compliance. They see that as a shortcut or an easy way to achieve compliance with little effort and money spent. It is a technique to reduce the scope of the Card Data Environment (CDE) within an organization, requiring fewer network areas to be assessed for PCI DSS Compliance.  But the ground reality is far different from that. Companies will need to provide clear justification for opting compensating controls replacing the original PCI Standard Requirements.

Companies that plan to deploy compensating controls need to understand that Qualified Security Assessors (QSAs) will at the time of assessment need to reason the business constraints they face and for not being able to deploy the original PCI standard requirements. Organizations are also required to submit documentation detailing constraints and also demonstrating that they performed a risk analysis of the gap between the original measure and a proposed alternate measure. Performing such analysis requires a good amount of time and money which at times is even more than what it would take to address the original issue or vulnerability.

The documented constraints presented must be valid and legitimate. However, this is left to the discretion of the QSA whether or not the reasons listed are legitimate. Only then can the organizations move onto the designing of compensating control. Again it is important to note that reasons like not having the resources or infrastructure will not be considered valid for not being able to implement PCI DSS requirements.

How should the Compensating Controls be documented?

Once the compensating control is considered valid, organizations need to document its effectiveness in their environment. The document should cover the following points and areas of processes in it providing information and explaining in detail as mentioned below.

• Constraints List- Organizations should List constraints precluding compliance with the original requirement.
• Objective- Define the objective of the original control; identify the objective met by the compensating control.
• Identified Risk- Identify any additional risk posed by the lack of the original control.
• Definition of Compensating Controls- Define the compensating controls and explain how they address the objectives of the original control and the increased risk if any.
• Validation of Compensating Controls- Define how the compensating controls were validated and tested.
• Maintenance– Define processes and controls in place to maintain compensating controls.

As long as the organization can document these details effectively, they can easily deploy compensating control as mentioned. Ultimately, it is the decision of the QSA whether to approve the controls and accept its deployment or not.Again, although approved by the QSA, but the final decision lies in the hands of the acquiring banks and/or the payment card brands on whether to accept the same or not.

Conclusion

To set the records straight, although compensating controls deployed may prove to be useful for the organization’s compliance efforts, yet it is recommended that the organization replaces these compensating control deployments with the original control as soon as possible. This is because, although these controls may be a quick fix to your compliance efforts yet they are temporary fixes that will need to be addressed again in the long run. Besides, the process of identifying, analyzing, and deploying compensating control may turn out to be more expensive and time-consuming in comparison with the original control measures.

Again, it is important to understand that although a QSA may approve the controls but, the Acquiring Bank takes the final call. So, there is always a probability that the company invests a good amount of time and resource in designing a control but ultimately the acquirer might reject it. So, it is advisable that wherever possible, organizations should stick to implementing the original PCI DSS Control requirement than use the shortcut to achieve compliance. Move into Compensating controls only and only if you do not have any choice and even then, first consult your QSA and acquiring bank/brands before even finalizing the implementation of the Compensating Control.