PCI DSS

Payment Card Industry Data Security Standard (PIC DSS) #

5 Criteria for Compensating Controls (PCI DSS) #

  1. Meet the intent and rigor of the original requirement
    The compensating control must achieve the same security goal as the original PCI DSS requirement.
  2. Provide a similar level of defense
    It must offer comparable protection — not weaker than the original control.
  3. Be above and beyond other PCI DSS requirements
    The control cannot rely solely on existing PCI DSS controls already required elsewhere.
  4. Be thoroughly documented
    Clearly explain how the control works, why it’s needed, and how it meets the same intent as the original requirement.
  5. Be validated and maintained
    The control must be tested, confirmed to work, and maintained to ensure ongoing effectiveness.

In Short #

  1. Must meet the intent.
  2. Must give similar defense.
  3. Must be above and beyong other requirements.
  4. Must be address any additioan risk that comes from the exception
  5. Must adress the requirement today and in future.