Posted by Ed Welsh, Director, Security & Compliance on December 28, 2009 10:27 AM
Briefly: What is a Compensating Control?
The Payment Card Industry Data Security Standard (PCI DSS) roughly defines compensating controls as a method to meet the intent of a DSS requirement, while not implementing the control as written by the PCI Security Standards Council. This was a smart move on the part of the Council. They are saying that the prescriptive requirements may not be the best way for all situations and allow implementers to work outside the box, as long as the intent of the standard is being met.
Compensating controls have become necessary for situations where the combination of technical and business constraints prevent a control from being implemented. The typical reason for implementing compensating controls is the inherent expense involved with implementing the original DSS controls. This is not surprising considering the requirements for such things as automatic access control management, centralized logging, integrity monitoring, and all the vulnerability management technologies.
QSA's Perspective on Compensating Controls
QSAs (Qualified Security Assessors) really dislike compensating controls. It has been my experience that the dislike is due to the additional effort required to report compensating controls. For a QSA, the DSS is a list of requirements for which they test the controls. A compensating control does not have a clean pass/fail and must be fully documented in the Report on Compliance (RoC) in such a way to fully explain how it meets the intent of the requirement it replaces. Further, the QSA cannot simply use documentation provided by the merchant/service provider. The QSA must fully understand the new control so that they can make a judgment call as to whether it meets the original intent, as well as document it for the RoC. An assessment that involves multiple compensating controls will drag out much longer than one without them. Many assessment engagements use a fixed project pricing method, which means the longer an assessment takes, the thinner the profit margin for the assessment company.
Managed Hosting Impact on Compensating Controls
Compensating controls all by themselves are a wrench in the PCI DSS assessment process. Add in a third-party managed hosting provider and things get real sticky. Especially if the hosting provider does not fully support the PCI requirements, leaving the client to dig details out of a set of offsite tools that only partially describe an environment. A managed hosting provider utilized for systems requiring PCI DSS compliance will need a capability to deal with compensating controls. It means providing reasonable customization with the expertise to understand how that customization will affect a PCI DSS assessment.
Being a managed services provider, GSI must deal with the engineering, documenting, and implementation of compensating controls for client PCI DSS environments. It is not easy and there are many challenges. Any customization that pushes the boundaries of our standard operating procedures risks failure, and we must be vigilant with our audits and reporting to catch any discrepancies. Still, without doubt, it is worth having the capability to do it. Having that flexibility really tells the story when our clients continually pass PCI DSS assessments year after year.