Use this worksheet to define compensating controls for any requirement where compensating controls are used to meet a PCI DSS requirement.
Note that compensating controls should also be documented in the Report on Compliance in the corresponding PCI DSS requirement section.
Download Compensating Controls Worksheet pdf
| 1. Contraints |
List constraints precluding compliance with the original requirement. |
Your explanation goes here |
| 2. Objective |
Define the objective of the original control; identify the objective met by the compensating control. |
Your explanation goes here |
| 3. Identified Risk |
Identify any additional risk posed by the lack of the original control. |
Your explanation goes here |
| 4. Definition of Compensating Controls |
Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any. |
Your explanation goes here |
| 5. Validation of Compensating Controls |
Define how the compensating controls were validated and tested. |
Your explanation goes here |
| 6. Maintenance |
Define process and controls in place to maintain compensating controls. |
Your explanation goes here |
Below is a sample using Requirement Number 8.1.1 as an example.
8.1.1 – Are all users identified with a unique user ID before allowing them to access system components or cardholder data?
| 1. Contraints |
List constraints precluding compliance with the original requirement. |
Example Constraints example "Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user." |
| 2. Objective |
Define the objective of the original control; identify the objective met by the compensating control. |
Example Objective example "The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action." |
| 3. Identified Risk |
Identify any additional risk posed by the lack of the original control. |
Example Identified Risk example "Additional risk is introduced to the access control system by not ensuring all users have a unique ID and are able to be tracked." |
| 4. Definition of Compensating Controls |
Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any. |
Example Definition of Compensating Controls example "Company XYZ is going to require all users to log into the servers using their regular user accounts, and then use the “sudo” command to run any administrative commands. This allows use of the “root” account privileges to run pre-defined commands that are recorded by sudo in the security log. In this way, each user’s actions can be traced to an individual user account, without the “root” password being shared with the users." |
| 5. Validation of Compensating Controls |
Define how the compensating controls were validated and tested. |
Example Validation of Compensating Controls example "Company XYZ demonstrates to assessor that the sudo command is configured properly using a “sudoers” file, that only pre-defined commands can be run by specified users, and that all activities performed by those individuals using sudo are logged to identify the individual performing actions using “root” privileges." |
| 6. Maintenance |
Define process and controls in place to maintain compensating controls. |
Example Maintenance example "Company XYZ documents processes and procedures to ensure sudo configurations are not changed, altered, or removed to allow individual users to execute root commands without being individually identified, tracked and logged." |
