Appendix C Compensating Controls Worksheet
The entity must use this worksheet to define compensating controls for any requirement where compensating controls are used to meet a PCI DSS requirement. Note that compensating controls should also be documented in accordance with instructions in the Report on Compliance in the corresponding PCI DSS requirement section.
Note: Only entities that have legitimate and documented technological or business constraints can consider the use of compensating controls to achieve compliance.
Requirement Number and Definition:
| Information Required | Explanation | |
|---|---|---|
| 1. Constraints | Document the legitimate technical or business constraints precluding compliance with the original requirement. | |
| 2. Definition of Compensating Controls | Define the compensating controls: explain how they address the objectives of the original control and the increased risk, if any. | |
| 3. Objective | Define the objective of the original control (for example, the Customized Approach Objective). Identify the objective met by the compensating control (note: this can be, but is not required to be, the stated Customized Approach Objective for the PCI DSS requirement). |
|
| 4. Identified Risk | Identify any additional risk posed by the lack of the original control. | |
| 5. Validation of Compensating Controls | Define how the compensating controls were validated and tested. | |
| 6. Maintenance | Define process(es) and controls in place to maintain compensating controls. |
Your perspective on this PCI DSS requirement matters! Share your implementation experiences, challenges, or questions below. Your insights help other organizations improve their compliance journey and build a stronger security community.Comment Policy