Compensating Controls: Risky Business or Risk-Based Approach?
Advice from an AssessorBy: Pierre Tagle
One of the more contentious topics when dealing with PCI DSS has been using compensating controls. For a QSA conducting an assessment, hearing about the use of compensating controls means more ground to cover. On the other hand, experienced assessors know that compensating controls can be part of the solution to meet compliance requirements.
However, this approach can also be abused, as some organisations will look to it as a go-to solution. This results in improperly designed or badly implemented compensating controls. So other IT professionals see compensating controls as loopholes around the prescriptive nature of the standard.
So are compensating controls just risky business that put cardholder data at risk? Or does it present us with a risk-based approach to meet the intent of the standard and protect cardholder data?
Compensating Control Components
Let us look at what makes up a compensating control for a PCI DSS requirement. There are six components:
- Identified Risk
- Definition of Compensating Controls
- Validation of Compensating Controls
First, there has to be legitimate constraints (e.g. technical, business) as to why a compensating control is being considered – not just because the organisation does not want to implement the requirement.
The next two points are around assessing the risks. The objective of the original control must be reviewed against the objective being met by the compensating control - i.e. is the compensating control meeting the intent of the original control? (Tip: To understand the intent of the control, check the guidance column in the standard for each requirement.) Next what additional risks (if any) are introduced with the use of the compensating control? Similar to coming up with risk treatment plans in other industry standards, assess the inherent and residual risks.
The last three points are about the implementation of the compensating control, from definition (i.e. details of the compensating control and how it achieves the objectives), to validation (i.e. testing that the compensating control is meeting its objectives), and finally maintenance (i.e. ensuring that the control continues to be effective over time).
Any risk mitigation measure is only effective for as long as the measure is sufficient to mitigate the threat. However, threats evolve and new threats are always emerging. So like other industry security standards, PCI DSS requires organisations to conduct periodic risk assessments. This includes reviewing compensating controls to see whether they are still effective and continue to meet the intent of the standard.
Organisations should periodically review why a compensating control was implemented. Technology solutions improve and decrease in cost rapidly. Business processes also change over time. New factors may mean that the compensating control is no longer required and direct measures are feasible.
Compensating controls are not a permanent fix. The direct application of PCI DSS controls still presents the most straightforward and recommended way to achieve compliance. However, there are cases wherein legitimate constraints present considerable challenges for organisations. When designed and implemented properly, compensating controls present a risk-based approach for these organisations to meet PCI DSS compliance.
A final important note: A compensating control worksheet must be completed for each compensating control used to meet a PCI DSS requirement. For more information, take a look at Appendix C in PCI DSS.
This article originally appeared in PCI Professional Update – resources for PCIPs: April 2016 newsletter