Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 4
Appendix B: Compensating Controls
Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls. Compensating controls must satisfy the following criteria: 1. Meet the intent and rigor of the original PCI DSS requirement. 2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.) 3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.) When evaluating “above and beyond” for compensating controls, consider the following: Note: The items at a) through c) below are intended as examples only. All compensating controls must be reviewed and validated for sufficiency by the assessor who conducts the PCI DSS review. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the configuration of the control. Companies should be aware that a particular compensating control will not be effective in all environments. a) Existing PCI DSS requirements CANNOT be considered as compensating controls if they are already required for the item under review. For example, passwords for non-console administrative access must be sent encrypted to mitigate the risk of intercepting clear-text administrative passwords. An entity cannot use other PCI DSS password requirements (intruder lockout, complex passwords, etc.) to compensate for lack of encrypted passwords, since those other password requirements do not mitigate the risk of interception of clear-text passwords. Also, the other password controls are already PCI DSS requirements for the item under review (passwords). b) Existing PCI DSS requirements MAY be considered as compensating controls if they are required for another area, but are not required for the item under review. For example, multi-factor authentication is a PCI DSS requirement for remote access. Multi-factor authentication from within the internal network can also be considered as a compensating control for non-console administrative access when transmission of encrypted passwords cannot be supported. Multi-factor authentication may be an acceptable compensating control if: (1) it meets the intent of the original requirement by addressing the risk of intercepting clear-text administrative passwords; and (2) it is set up properly and in a secure environment. c) Existing PCI DSS requirements may be combined with new controls to become a compensating control. For example, if a company is unable to render cardholder data unreadable per Requirement 3.4 (for example, by encryption), a compensating control could consist of a device or combination of devices, applications, and controls that address all of the following: (1) internal network segmentation; (2) IP address or MAC address filtering; and (3) multi-factor authentication from within the internal network. 4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. The assessor is required to thoroughly evaluate compensating controls during each annual PCI DSS assessment to validate that each compensating control adequately addresses the risk the original PCI DSS requirement was designed to address, per items 1-4 above. To maintain compliance, processes and controls must be in place to ensure compensating controls remain effective after the assessment is complete.
1. Constraints List constraints precluding compliance with the original requirement. 2. Objective Define the objective of the original control; identify the objective met by the compensating control. 3. Identified Risk Identify any additional risk posed by the lack of the original control. 4. Definition of Define the compensating controls and Compensating explain how they address the objectives of Controls the original control and the increased risk, if any. 5. Validation of Define how the compensating controls were Compensating validated and tested. Controls 6. Maintenance Define process and controls in place to maintain compensating controls.
PCI DSS Template for Report on Compliance, Appendix C: Compensating Controls Worksheet April 2016 Copyright 2016 PCI Security Standards Council LLC Page 2 Compensating Controls Worksheet – Completed Example Use this worksheet to define compensating controls for any requirement noted as being “in place” via compensating controls. Requirement Number: 8.1.1 – Are all users identified with a unique user ID before allowing them to access system components or cardholder data?
Information Required Explanation
1. Constraints List constraints precluding Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a compliance with the original “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to requirement. log all “root” activity by each user. 2. Objective Define the objective of the The objective of requiring unique logins is twofold. First, it is not considered acceptable from a original control; identify the security perspective to share login credentials. Secondly, having shared logins makes it objective met by the impossible to state definitively that a person is responsible for a particular action. compensating control. 3. Identified Risk Identify any additional risk Additional risk is introduced to the access control system by not ensuring all users have a posed by the lack of the original unique ID and are able to be tracked. control. 4. Definition of Define the compensating Company XYZ is going to require all users to log into the servers using their regular user Compensating controls and explain how they accounts, and then use the “sudo” command to run any administrative commands. This allows Controls address the objectives of the use of the “root” account privileges to run pre-defined commands that are recorded by sudo in original control and the the security log. In this way, each user’s actions can be traced to an individual user account, increased risk, if any. without the “root” password being shared with the users. 5. Validation of Define how the compensating Company XYZ demonstrates to assessor that the sudo command is configured properly using Compensating controls were validated and a “sudoers” file, that only pre-defined commands can be run by specified users, and that all Controls tested. activities performed by those individuals using sudo are logged to identify the individual performing actions using “root” privileges. 6. Maintenance Define process and controls in Company XYZ documents processes and procedures to ensure sudo configurations are not place to maintain compensating changed, altered, or removed to allow individual users to execute root commands without being controls. individually identified, tracked and logged.
PCI DSS Template for Report on Compliance, Appendix C: Compensating Controls Worksheet April 2016 Copyright 2016 PCI Security Standards Council LLC Page 3 PCI DSS Template for Report on Compliance, Appendix C: Compensating Controls Worksheet Copyright 2016 PCI Security Standards Council LLC
