Few payment security professionals can find a hotter topic than compensating controls. They always look like this mythical accelerator to compliance used to push PCI Compliance initiatives through completion at a minimal cost to your company with little or no effort.

Sound familiar?

I wish I had a tape recorder at every meeting where I heard the phrase, “Don’t worry, we’ll just write up a compensating control for this.” It may not be as great as the twenty-seven minute long video floating around of every single expletive uttered during The Soprano’s legendary run on HBO1, but I bet I could fill a few podcasts with the audio.

Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another2. There is no guarantee a compensating control that works today will work one year from now, and the evolution of the standard itself could render a previous control invalid.

My goal for this article is to paint a compensating control mural. After reading this article, you should know how to create a compensating control, what situations may or may not be appropriate for compensating controls, and what land mines you must avoid as you lean on these controls to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS)3.

Look for Part 2 on Wednesday!

This post originally appeared on BrandenWilliams.com.

  1. How impressive is twenty-seven minutes? Seriously! []
  2. Why? Because we are not provided a common risk model to use. []
  3. Please visit http://www.pcisecuritystandards.org/. []