The Role of the Acquirer
Ultimately it is the Acquiring institution that must approve the compensating control. If you are like most companies, you most likely are dealing with more than one Acquiring institution, so remember, any control you propose should be approved by ALL of them before proceeding. Imagine the difficulty of getting your Visa/MasterCard acquirer to agree with American Express, and then Discover! It’s hard enough to get one institution to agree, but three? Consider this before you bet the farm on a flimsy compensating control that doesn’t solve the underlying problem.
How to Avoid Compensating Control Chaos
There is really only one way to avoid getting into a tug-of-war on compensating controls—don’t use them. Unfortunately, for most companies, that is virtually impossible. For those of you that must use at least one compensating control, be sure to document them thoroughly, and plan on over achieving just a bit to show the assessor you are not just trying to scrape by. If you have a long-term remediation plan to address the root cause of the issue, disclose it with milestones and owners. This alone will go a long way to showing both the assessor and the Acquirer that you have thought your way through your design of the control, and have an exit strategy planned. Compensating controls must be written up with each Report on Compliance (ROC), so expect a savvy Acquirer to review it each year to see if you are sticking with your commitments.
Up next? QSAs that are DRUNK WITH POWER!
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?