While reading the over 100 pages of PCI DSS compliance requirements may be overwhelming, you’ll get useful tips on risk reduction at the document’s appendices. If you need to successfully limit your risks, you should start by limiting your scope. Also, you should use compensating controls to accelerate your PCI DSS compliance even when you do not meet their architectural requirements. However, it’s true that making your business PCI compliant is a significant challenge due to their rather confusing requirements.
What are the Compensating Controls?
According to Appendix B of PCI’s FAQ document, the compensating controls are those factors that are considered for PCI DSS requirements if a business fails to meet the exact requirements due to legitimate constraints. However, the investor should demonstrate measures adopted to mitigate the risk related to the specific requirement. Also, if you manage to fulfil the overall role of PCI; to protect the client’s information, in a better way than stipulated in the compliance document, then you can claim to compensate for control. The primary reason for PCI’s compensating controls is not to ease the process but to offer alternatives compliance strategies for the businesses thus making it flexible.
How to Meet the Requirements of the Original PCI DSS Requirement
While the presence of compensating controls offers the desired flexibility, it is only intended to fix gaps in the compliance but not to offer a permanent solution. You’ll need to fulfil all the requirements to meet the intent and rigour of the compliance document which makes it complex when creating an overlap of controls. For example, the first requirement for PCI DSS is to install a firewall for the cardholder’s data protection. You’ll have to upgrade your internal and external systems to work well with the firewalls.
If you do not have the firewall installed, then you must prove that you have a system that works better than the firewall in protecting the client’s data thus guaranteeing the protection of the cardholder’s information from intruders.
How Can I Have a Compensating Control that has Similar Level of Defense like the Original PCI DSS Requirement?
Well, the PCI DSS compliance is strictly based on their requirements except when there is sufficient proof that a compensating control will mitigate the risk targeted by the PCI in a better way.
If the risk of data intrusion is higher with the compensating control than it is with the PCI DSS requirement, then such a control will fail the compliance test.
How can I be Beyond Other PCI DSS Requirements?
While PCI offers the flexibility to allow compensating controls, they desire that you strictly adhere to their requirements for guaranteed data protection. As such, they have made it quite difficult for any compensating control to match the original requirements.
The current PCI DSS requirements are never considered as compensating controls if they are needed for an item under review. For example, we cannot have compensating controls for passwords meant for non-console administrative access since it’s a requirement that they are encrypted to eliminate the risk of intercepting the passwords. No other passwords can be used to compensate for an absence of encrypted passwords. Also, you cannot acquire a compensating control by exposing other places to vulnerability because the risk still exists.
The existing PCI DSS requirements can be compensating controls only when they are required on another area but not for the item under review. For example, two-factor authentication can be compensating control if it fulfils the intent of the original requirement and is set in a secure environment that does not expose the cardholder’s data to unmitigated risk. Note that this does not contradict the first example since this requires that if a stronger item that can be used with another requirement is available, then there exists the flexibility to use it. It can be used since it does not expose the other to risk.
Finally, you should note that the PCI DSS requirements can be combined to offer compensation for a missing requirement. For example, the compensating control can consist of the internal network segmentation, IP address, and two-factor authentication available within the internal network. This combination should only be used when there is evidence that the control will offer enhanced protection of the cardholder data as well as increase the convenience of the card user. What this means is that you can create a system of controls to take care of the PCI requirements by putting together compensating controls.
How to be Proportionate with Risks Associated with Failure to Adhere to PCI DSS Requirement
All the compliance procedures are risk-based. You need to assess the compensating control to determine whether it matches the risk-mitigation measures put in place by PCI DSS. If it exposes you to higher risk, then you need to change it and make sure you are beyond the PCI requirements for guaranteed safety. Following PCI DSS ensures consistency and should thus be encouraged for businesses.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.