[PCI DSS 3.0] Compensating Control Requirement Number and Definition

Use this worksheet to define compensating controls for any requirement where compensating controls are used to meet a PCI DSS requirement. Note that compensating controls should also be documented in the Report on Compliance in the corresponding PCI DSS requirement section.

Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance.

  1. Constraints List constraints precluding compliance with the original requirement.
  2. Objective Define the objective of the original control; identify the objective met by the compensating control.
  3. Identified Risk Identify any additional risk posed by the lack of the original control.
  4. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any.
  5. Validation of Compensating Controls Define how the compensating controls were validated and tested.
  6. Maintenance Define process and controls in place to maintain compensating controls.