Compensating Controls
On an annual basis, any compensating controls must be documented, reviewed and validated by the assessor and included with the Report on Compliance submission, per Appendix B: Compensating Controls and Appendix C: Compensating Controls Worksheet.
For each and every compensating control, the Compensating Controls Worksheet (Appendix C) must be completed. Additionally, compensating control results should be documented in the ROC in the corresponding PCI DSS requirement section.
See the above-mentioned Appendices B and C for more details on “compensating controls.”