Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must:
- meet the intent and rigor of the original PCI DSS requirement
- repel a compromise attempt with similar force
- be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements) and
- be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement
Please visit https://www.pcisecuritystandards.org for further information.
Merchants are responsible for ensuring their systems comply in all respects with PCI DSS Standards. Merchants wishing to use compensating controls should seek guidance and official verification from a Qualified Security Assessor (QSA) and ensure such compensating controls do not conflict with the requirements of the PCI DSS Standards. In the event, a Merchant chooses to lodge any compensating control within the Self Assessment Questionnaire, it does so by taking full responsibility for any system breach arising from the control in place and will remain fully liable for any losses including any Card Scheme Fine.
