12 12 ISSA The Global Voice of Information Security 12 F ew payment security proessionals can nd a hotter topic than compensating controls. Theyalways look like this mythical accelerator to compliance used to push PCI compliance initiatives through completion at a minimal cost to your companywith litt le or no e ort. Compensating contro ls are chal lenging. They oten re- quire a risk-based approach that can vary greatly rom one qualied security a ssessor (QSA ) to another; There is no guarantee a compensating control that works to- day will work one year rom now, and the evolution othe standard itselcould render a previous control in- valid. My goal or this ar ticle is to paint a compensating con- trol mural. Ater reading this article, you should know how to create a compensating control, what situations may or may not be appropriate or compensating con- trols, an d what land mines you must avoid as you lean on these controls to achieve compliance with the Payment Card Industry Data Security Standa rd (PCI DSS). What a compensating control is In the ea rly years oPCI DSS (and even my ex perience under the CISP program), the term compensating con- Why? Because we are not provided a comm on risk model to use. Please visit http://www.pcisec urityst andards.org. trol was used to describe everything rom a legitimate work-around or a security challenge to a shortcut to compliance. Iyou are considering a compensating con- trol, you must perorm a risk analysis and have a legiti- mate technological or documented business constraint beore you even go to the next step. We will see more othe documented business constraints coming our wayor review based on the current economic situation. Just remember the word legitimateand the phraseper-form a risk analysisbeore proceeding to the next step. Bob’s being on vacation is not a legitimate constraint, and an ar mchair review othe gap and potential control is not a risk analysis. QSAs should ask or documenta- tion during a compliance review, and having it ready to go will make sure you are eciently using their time. Ithey do not, you can bet that your assessment will not be thorough. Every compensating control must meet our criteria be- ore it can be considered or validity: . Meet the intent and rig or othe o riginal PCI DSS requirement . Provide a s imilar level odeense as the origi- nal PCI DSS requiremen t 3. Be “above and beyond” other PCI DSS re- quirements (not simply in compliance with other PCI DSS requirements) This article describes compensating controls: what they are, how to create them, what situations may or may not be appropriate, and what to avoid. By Branden R. Williams – ISSA member, North Texas, USA chapter The Art of the Compensating Control ISSA Journal | April 2009
