Browse Definitions :
Definition

compensating control (alternative control)

What is compensating control?

A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time.

In the payment card industry (PCI), compensating controls were introduced in PCI DSS 1.0 by the PCI Security Standards Council (PCI SSC) in December 2004. Since then, the PCI SSC has released regular updates to the standard. The latest version -- 4.0 -- was published in March 2022. During the time between 1.0 and 4.0, the information about compensating controls changed in minor ways, but the guidelines as a whole have remained fairly consistent.

Per the PCI SSC, compensating controls give organizations an alternative to security requirements that cannot be met "due to legitimate and documented technical or business constraints." Compensating controls must sufficiently mitigate the risk associated with the original requirements. According to the PCI DSS, compensatory controls must do the following:

  • meet the intent and rigor of the original stated requirement;
  • provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against;
  • be "above and beyond" other PCI DSS requirements (simply being in compliance with other PCI DSS requirements is not a compensating control);
  • address the additional risk imposed by not adhering to the PCI DSS requirement; and
  • address the requirement currently and in the future; a compensating control cannot address a requirement that was missed in the past (for example, where performance of a task was required two quarters ago, but that task was not performed).
PCI DSS compliance levels
Compensating controls were introduced in PCI DSS 1.0 by the PCI Security Standards Council.

PCI DSS states that an assessor must evaluate each compensating control during the annual PCI DSS assessment. The assessor must confirm that each control addresses the risk targeted by the original PCI DSS requirement. As part of this process, the assessor must review and validate the control to ensure that it sufficiently meets its stated purpose.

The PCI DSS also stresses that the control's effectiveness depends on the environment in which it is implemented, as well as its configuration and the surrounding security controls. A compensating control is not effective in all environments.

The compensating controls worksheet

Appendix B of PCI DSS 4.0 includes additional details about compensating controls, and Appendix C provides a worksheet that organizations must complete if they've implemented compensating controls. The worksheet includes the following six sections:

  • Constraints. The legitimate technical or business constraints precluding compliance.
  • Definition of compensating controls. An explanation of how the compensating controls address the original objectives and the increased risks, if any.
  • Objectives. The objective of the original control and the objective met by the compensating control.
  • Identified risk. Additional risks posed by the lack of the original control.
  • Validation of compensating controls. An explanation of how the compensating controls were tested and validated.
  • Maintenance. The processes and controls that have been implemented to maintain compensating controls.

Compensating controls can be a valuable tool for organizations that have technical or business constraints that make it difficult to meet certain PCI DSS requirements. For example, PCI DSS requires the segregation of duties (SoD), an internal control designed to prevent error and fraud by ensuring that at least two individuals are responsible for the separate parts of any task. However, separating responsibilities in this way can be difficult for smaller organizations.

For instance, a small business might rely on a single individual to process and reconcile all the credit card transactions and to maintain all the related records. To comply with the SoD requirement, the business might implement a compensating control in which a third-party agent regularly reviews the transactions and relevant documentation -- as well as applicable logs and audit trails -- to verify the internal process. If the business implements this control, it must be included in the compensating controls worksheet.

See also: fraud detection, four eyes principle, risk avoidance, corporate governance, accounting error, regulatory compliance, compliance burden.

This was last updated in October 2022

Continue Reading About compensating control (alternative control)

Networking
  • firewall as a service (FWaaS)

    Firewall as a service (FWaaS), also known as a cloud firewall, is a service that provides cloud-based network traffic analysis ...

  • private 5G

    Private 5G is a wireless network technology that delivers 5G cellular connectivity for private network use cases.

  • NFVi (network functions virtualization infrastructure)

    NFVi (network functions virtualization infrastructure) encompasses all of the networking hardware and software needed to support ...

Security
  • virus (computer virus)

    A computer virus is a type of malware that attaches itself to a program or file. A virus can replicate and spread across an ...

  • Certified Information Security Manager (CISM)

    Certified Information Security Manager (CISM) is an advanced certification that indicates that an individual possesses the ...

  • cryptography

    Cryptography is a method of protecting information and communications using codes, so that only those for whom the information is...

CIO
  • B2B (business to business)

    B2B (business-to-business) is a type of commerce involving the exchange of products, services or information between businesses, ...

  • return on investment (ROI)

    Return on investment (ROI) is a crucial financial metric investors and businesses use to evaluate an investment's efficiency or ...

  • big data as a service (BDaaS)

    Big data as a service (BDaS) is the delivery of data platforms and tools by a cloud provider to help organizations process, ...

HRSoftware
  • talent acquisition

    Talent acquisition is the strategic process an organization uses to identify, recruit and hire the people it needs to achieve its...

  • human capital management (HCM)

    Human capital management (HCM) is a comprehensive set of practices and tools used for recruiting, managing and developing ...

  • Betterworks

    Betterworks is performance management software that helps workforces and organizations to improve manager effectiveness and ...

Customer Experience
  • martech (marketing technology)

    Martech (marketing technology) refers to the integration of software tools, platforms, and applications designed to streamline ...

  • transactional marketing

    Transactional marketing is a business strategy that focuses on single, point-of-sale transactions.

  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

Close