Use this worksheet to define compensating controls for any requirement where compensating controls are used to meet a PCI DSS requirement. Note that compensating controls should also be documented in the Report on Compliance in the corresponding PCI DSS requirement section.
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.
- Constraints List constraints precluding compliance with the original requirement.
- Objective Define the objective of the original control; identify the objective met by the compensating control.
- Identified Risk Identify any additional risk posed by the lack of the original control.
- Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
- Validation of Compensating Controls Define how the compensating controls were validated and tested.
- Maintenance Define process and controls in place to maintain compensating controls.