Pci Dss

Payment Card Industry Data Security Standard (PIC DSS) #

The 5 criteria for compensating controls #

  1. The control must meet the intent and rigor of the original requirement.
  2. The control must provide a similar level of defense as the original requirement, such that the compensation control sufficiently offesets the risk that the original PCI DSS requirement was designed to defend against.
  3. The contol must be “above and beyond” other PCI DSS requirements.
  • The compensating control must provide MORE security than just meeting another existing PCI requirement. It can’t be something you’re already required to do anyway.
  • Why not “equal level” - Because you’re creating a gap by not following the original requirement. An equal-level control might leave the same risk exposure.
    • if you can’t put a seatbelt in a car, you don’t compensate with “equivalent safety” - you need a roll cage, better brakes, AND airbags to offset that missing safety control.
  1. The control must address the additional risk imposed by not adhereing the the PCI DSS requirement.
  2. The control must address the requirement currently and in the future.

In Short #

  1. Must meet the intent.
  2. Must give similar defense.
  3. Must be above and beyong other requirements.
  4. Must be address any additioan risk that comes from the exception
  5. Must adress the requirement today and in future.