What is Compensating Controls?

What Are Compensating Controls?

Compensating controls are the alternative security measures you can put in place when you genuinely can't meet a specific PCI DSS requirement as written. They're not shortcuts. They're not workarounds. They're formally documented alternatives that have to provide an equivalent level of protection to the original requirement.

Here's the everyday version: imagine the building regs require every office to have a sprinkler system. If your building genuinely can't take sprinklers — listed building, structural reasons, whatever it is — you might fit fire-resistant walls, extra extinguishers, and smoke detection instead. Those alternatives are your compensating controls. Different methods, same goal of fire safety.

When Are Compensating Controls Used?

Compensating controls exist for situations where a legitimate business or technical constraint stops you meeting a PCI DSS requirement directly. The usual scenarios:

• Legacy systems that can't be upgraded or replaced immediately but still need to be secured
• Mainframe environments where modern encryption standards aren't natively supported
• Business processes that require a specific workflow which clashes with a prescriptive PCI requirement
• Situations where the cost of meeting a control directly is disproportionate, but equivalent security is achievable another way

It's worth being blunt about this: compensating controls aren't a way to dodge security. The PCI SSC is clear that a compensating control has to meet the intent and the rigour of the original requirement. You can't just declare you've got one and move on — it has to be documented, assessed, and signed off.

How Compensating Controls Are Documented

PCI DSS requires a formal Compensating Controls Worksheet for every control used. That worksheet covers:

• The original requirement that can't be met
• The specific constraint that prevents you meeting it as written
• A detailed description of the compensating control itself
• How the control addresses the risk the original requirement was designed to mitigate
• Evidence the compensating control is working and being actively maintained

This paperwork gets reviewed during PCI DSS assessments — by a QSA if you're Level 1, or as part of the self-assessment process otherwise. The assessor has to agree the compensating control genuinely provides equivalent protection. They don't always.

The Tests a Compensating Control Must Pass

For a compensating control to fly, it has to clear several hurdles:

• It must address the same threat the original requirement was designed to counter
• It must provide a similar level of defence
• It must go above and beyond other existing PCI DSS requirements — you can't use a requirement you already have to meet as a compensating control for a different one
• It must be proportionate to the additional risk created by not meeting the original requirement

Why This Matters for Businesses

Compensating controls give organisations flexibility. PCI DSS is a thorough standard with hundreds of specific requirements, and real-world environments are messy. Not every system or process fits the framework cleanly, and compensating controls are the legitimate route through when direct implementation isn't possible.

The catch is that compensating controls usually turn out to be more complex and more expensive than just meeting the original requirement. Every one needs ongoing documentation, monitoring, and annual reassessment. Stack up multiple compensating controls across multiple requirements and the overhead gets real fast.

Relevance to Telephone Payments

Contact centres that take card payments by phone hit compensating-control territory all the time. A typical example: call recordings capture card data, and the recordings can't be encrypted in the way PCI DSS prescribes. The compensating controls might be restricted access, enhanced monitoring, and automatic deletion schedules.

The trouble is those controls pile complexity onto an already painful compliance environment. We see contact centres burn six-figure budgets on compensating-control architecture that wouldn't have been needed if the card data had never entered the telephony in the first place. Removing card data from the contact centre entirely — through DTMF masking or similar — makes the problematic requirements simply not apply. No compensating controls needed because there's nothing to compensate for.

Practical Advice

If you're thinking about compensating controls, the first question to ask is whether the constraint that's blocking you can be removed instead. A system upgrade, a process change, a different technology choice — sometimes that gets rid of the need for a compensating control altogether. If a compensating control really is the right answer, document it properly and review it regularly. A badly documented compensating control is a compliance risk in its own right.

Compensating Controls Under PCI DSS v4.0

PCI DSS v4.0 introduces the "customised approach" as an alternative to compensating controls in certain situations. The customised approach lets you meet the intent of a requirement using a different method, without going through the formal compensating controls process. It's more flexible, but the documentation burden is higher, and it's really only suitable for organisations with mature security programmes. For most businesses, compensating controls remain the more practical option when a specific requirement can't be met directly. Working out whether to use compensating controls or the customised approach is a conversation worth having with your QSA or ISA early — not after you've already invested in the wrong path.