Sin #2 – Compensating Control Chaos

Compensating controls are a challenging and somewhat confusing nuance to PCI DSS. In Chapter 12 of PCI Compliance: Understand and Implement Effective PCI Compliance I delve into this perceived “Get out of jail free” card. Many companies have found this a useful guide for creating compensating controls during their PCI DSS journey ((This chapter is freely available at our book’s website,

Photo by katerha

Compensating controls are designed to allow companies to meet the controls laid out in PCI DSS in alternate ways. For example, a company that cannot put Secure SHell (SSH) on all of their routers and switches due to technical constraints may be able to do something different that would meet requirements for a compensating control as laid out in the PCI DSS Glossary:

Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints … Compensating controls must:

  1. Meet the intent and rigor of the original PCI DSS requirement;
  2. Provide a similar level of defense as the original PCI DSS requirement;
  3. Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
  4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. ((Quoted from the PCI DSS Glossary, found here:

Before any control could be considered for this perceived loophole ((The rigor by which this standard must be met causes this to be less of a loophole, and more of a quagmire.)), it must comply with all of the above restrictions. In my experience, “security-deferring” compensating controls tend to be more costly and troublesome to an infrastructure long-term than just fixing the problem. I’ve seen some ridiculous controls proposed, erring on both extremely conservative and extremely liberal interpretations of the “intent and rigor of the original” control.

Next, we will walk through some of the issues we might find.

This post originally appeared on

Possibly Related Posts: