Chapter 12. The Art of Compensating Control
Few payment security professionals can find a hotter Payment Card Industry Data Security Standards (PCI DSS) topic than compensating controls. They often look like this mythical compliance accelerator used to push PCI compliance initiatives through completion at a minimal cost to your company with little or no effort.
Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another. There is no guarantee that a compensating control accepted today will also work one year from now, and the evolution of the standard itself could render a previous control invalid.
The goal of this chapter is to paint a compensating control ...