In a recent blog, we discussed the evolution of the Payment Card Industry Data Security Standards (PCI DSS). One area not covered was the sections of the standards that discusses or involves compensating controls. This is an area under constant change and evolution. Although compensating controls must achieve specific results or meet detailed objectives, by their very nature, they are undefined, and their potential structure is only limited by our imaginations (and of course practicality). In this post, we will investigate the issue of compensating controls to the PCI DSS, which requirements are most likely to include compensating controls and how to work with your Qualified Security Assessor (QSA) on implementing and assessing any compensating controls you wish to make part of your PCI compliance program.
What are Compensating Controls?
First, let’s explore the most commonly-agreed upon definition of compensating controls.
According the PCI Security Standards Council, the global organization that manages the PCI Standards, compensating controls must satisfy the following criteria:
- Meet the intent and rigor of the original PCI DSS requirement.
- Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See guidance column for the intent of each PCI DSS requirement.)
- Be “above and beyond” other PCI DSS requirements. (Simply complying with other PCI DSS requirements is not a compensating control.)
Further, the Council states that, “Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of compensating control.”
At the very basic level, this means that if you cannot explicitly meet the requirements of the PCI DSS with your current compliance program in the prescribed manner described by the PCI DSS, an organization may investigate and deploy other configuration changes, technologies or processes that end up meeting the intent of the specific Requirement. Importantly, the guidance maintains that before these can be considered effective, the company must ensure that any risk associated with the implementation of compensating controls must be identified, examined and mitigated.
The documentation of this analysis of risk, technology and processes is of fundamental importance, because it will need to be included within your Self-Assessment Questionnaire (SAQ) forms to achieve your Report on Compliance (ROC). This reporting will be included as a worksheet addendum to the SAQ noting how to define “compensating controls for any requirement noted as ‘in place’ via compensating controls” according to the applicable PCI guidance and instructions. This documentation will be in the form of a validated Compensating Controls Worksheet (available as Appendix C in the PCI SSC document, Requirements and Security Assessment Procedures).
If you work with a QSA for your organization’s assessment process either by choice or requirement, depending on your PCI Merchant level (determined by the type and volume of your payment card transactions), you are going to be less reliant on your own internal vetting process and risk- assessment, because QSAs are likely to have a solid body of understanding about compensating controls employed in other organizations and approved for meeting the intent of the Standards in the past (more on that later).
Common Compensating Controls
Often, we see compensating controls used in an effort to reduce the scope of the Card Data Environment (CDE) within an organization, thus requiring fewer network areas that must be assessed for PCI DSS compliance. The use of encryption or tokenization within the payment process is effectively used to minimize the burden on organizations of managing data in clear text.
Network access control (NAC) technologies and database security applications and services or data loss-prevention tools are also frequently used as compensating controls to reduce the risk of clear data on company servers.
Outsourcing of the online payment process to a shopping cart or payment processing vendor is another; the theory being that if your systems never touch the payment process, you have effectively outsourced or offloaded the risk (and security requirements) to your vendor.
A word of caution about vendor proposed compensating controls: Every vendor under the sun wishes that they could create and provide the silver bullet that allows businesses to be able to skate through compliance. Some have much more legitimate claim than others. Always research and investigate any vendor claims thoroughly through third-party sources. As a rule of thumb, if what a vendor is saying sounds way too good to be true, it probably is.
Effective Documentation of Compensating Controls
Once you have settled on a compensating control, you are going to need to document its effectiveness in your environment. What can you expect from this process and the Compensating Controls Worksheet? Essentially, it boils down to just six areas of process and documentation:
- Constraints List
- Identified Risk
- Definition of Compensating Controls
- Validation of Compensating Controls
In simpler terms, think of what needs to be documented in the following way:
- You need to prove that constraints precluding compliance with the original requirement.
- You must define the objective of the original control; identify the objective met by the compensating control.
- Any additional risk posed by the lack of the original control must be identified.
- You must share a description of your compensating controls and explain how they address the objectives of the original control and any increased risk to the organization.
- Finally, you must share how you are going to ensure how the compensating controls are going to be maintained and will continue to do what you say they are going to do, in lieu of the prescribed standard solution or process.
As long as you are able to document these effectively, you should be in the clear for deploying a compensating control. Ultimately, it isn’t your decision about whether or not those controls will be accepted further on down the line. Ultimately, the decision will be in the hands of your acquiring banks and/or the payment card brands. This is when it pays to have a solid relationship with your QSA.
Working with a QSA for Compensating Controls
The PCI Council states, “All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the control. Companies should be aware that a particular compensating control will not be effective in all environments.”
Hence, our first maxim: since QSAs must be involved, get them involved early.
The undefined nature of compensating controls may lead the inexperienced compliance worker to believe that it may be an easier path to getting their hands on a ROC. In reality, it is rarely a faster or better way on the road to a ROC. There is significant process involved and everything must pass the QSA sniff test. Don’t rely on having to create that documentation or process yourself. A best practice is to work with your service providers and vendors, ask them how they have helped organizations meet the threshold of the intent of the Standards and if they have ready-made outlines for both the documentation, implementation and maintenance of their solutions so that you can simply validate and share with your QSA. If a vendor is selling you on a product as a more effective means of meeting specific PCI Requirements, they should be ready to help you clear the hurdles of implementing a compensating control.
Also, give yourself enough time to get things done right – our next best practice.
If you are familiar with the assessment process, organizations will prepare their SAQ or their own assessment work document and may at that time identify areas in which they are not currently compliant. Normal process then dictates that the internal team seek to remediate any shortcomings. Often, compensating controls are created and implemented in this remediation process. However, if this activity is not completed well in advance (it frequently isn’t) theses controls are implemented in a fire-drill situation. In these circumstances, according to the PCI Guru, “these situations can easily result in missing an organization’s compliance filing date.”
He recommends that you begin the process well in advance of any filing date deadline. Keep open lines of communication and plan ahead to get any controls in place and functioning without incident well in advance of your assessment.
Compensating controls can help an organization meet and even exceed the spirit of security envisioned by the PCI Standards. Plan well in advance and they can definitely make your life easier – but you must plan in advance.