See part 1 here.

What a Compensating Control Is
In the early years of PCI DSS (and even my experience under the CISP program), the term compensating control was used to describe everything from a legitimate work-around for a security challenge to something that Michael Phelps may have dreamed up while expanding his mind at approximately twenty minutes after four in the afternoon1.

If you are considering a compensating control, you must perform a risk analysis and have a legitimate technological or documented business constraint before you even go to the next step. We will see more of the documented business constraints coming our way for review based on the current economic situation. Just remember the word legitimate and the phrase perform a risk analysis before proceeding to the next step. ‘Bob’ being on vacation is not a legitimate constraint, and an armchair review of the gap and potential control is not a risk analysis. Qualified Security Assessors (QSAs) should ask for documentation during a compliance review, and having it ready to go will make sure you are efficiently using their time. If they do not, you can bet that your assessment is not thorough.

Every compensating control must meet four criteria before it can be considered for validity. The four items that every compensating control must do are: meet the intent and rigor of the original PCI DSS requirement, provide a similar level of defense as the original PCI DSS requirement, be “above and beyond” other PCI DSS requirements, and be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement2. If you think compensating controls are easy, please re-read the above statement.

The compensating control polygon has four specific points that must be met. For a compensating control to be valid, it must:

  1. Meet the intent and rigor of the original PCI DSS requirement;
  2. Provide a similar level of defense as the original PCI DSS requirement;
  3. Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
  4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.

For an example of a completed compensating control, review the Appendix C of PCI Version 1.2.

An example of a valid control might be using extra logs for the su command in UNIX to track actions executed under a shared root password. In rare cases, a system may not be able to use something like sudo to prevent shared administrator passwords from being used ((If you are reading this and saying, “HEY! We CAN just use shared passwords!” please grow up. Nearly every system has the ability to use something like sudo which is free, or a commercial variant.)).

Look for Part 3 on Monday!

This post originally appeared on BrandenWilliams.com.

  1. Aww… too soon? []
  2. As described in the PCI Security Standards Glossary: https://www.pcisecuritystandards.org/pdfs/pci_dss_glossary.pdf. []