What is Compensating Controls?

What Are Compensating Controls?

Compensating controls are alternative security measures that an organisation can put in place when it cannot meet a specific PCI DSS requirement exactly as written. They are not shortcuts or workarounds -- they are formally documented alternatives that must provide an equivalent level of protection to the original requirement.

To put it in everyday terms: imagine a building regulation requires every office to have a sprinkler system. If your building's structure genuinely cannot support sprinklers, you might install fire-resistant walls, additional fire extinguishers, and smoke detection systems instead. Those alternatives are your compensating controls -- different methods that achieve the same goal of fire safety.

When Are Compensating Controls Used?

Compensating controls exist for situations where a legitimate business or technical constraint prevents an organisation from meeting a PCI DSS requirement directly. Common scenarios include:

• Legacy systems that cannot be upgraded or replaced immediately but still need to be secured
• Mainframe environments where modern encryption standards are not natively supported
• Business processes that require a specific workflow which conflicts with a prescriptive PCI requirement
• Situations where the cost of full compliance with a specific control would be disproportionate, but equivalent security can be achieved another way

It is important to stress that compensating controls are not an excuse to avoid security. The PCI SSC is very clear: a compensating control must meet the intent and rigour of the original requirement. You cannot simply declare that you have a compensating control and move on -- it must be formally documented, assessed, and approved.

How Compensating Controls Are Documented

PCI DSS requires a formal Compensating Controls Worksheet for each control used. This worksheet must include:

• The original requirement that cannot be met
• The specific constraint or reason why the requirement cannot be met as stated
• A detailed description of the compensating control itself
• An explanation of how the control addresses the risk that the original requirement was designed to mitigate
• Evidence that the compensating control is effective and is being actively maintained

This documentation is reviewed during PCI DSS assessments by a QSA (for Level 1 merchants) or through the self-assessment process. The assessor must agree that the compensating control genuinely provides equivalent protection.

The Tests a Compensating Control Must Pass

For a compensating control to be accepted, it must satisfy several conditions:

• It must address the same threat that the original requirement was designed to counter
• It must provide a similar level of defence
• It must go above and beyond other existing PCI DSS requirements (you cannot use an existing requirement as a compensating control for a different one)
• It must be proportionate to the additional risk created by not meeting the original requirement

Why This Matters for Businesses

Compensating controls give organisations flexibility. PCI DSS is a comprehensive standard with hundreds of specific requirements, and real-world environments are complex. Not every system, process, or technology fits neatly into the framework, and compensating controls provide a legitimate path to compliance when direct implementation is not feasible.

However, compensating controls often end up being more complex and more expensive to maintain than simply meeting the original requirement. Each one requires ongoing documentation, monitoring, and annual reassessment. Over time, the overhead can become significant, especially if an organisation relies on multiple compensating controls across different requirements.

Relevance to Telephone Payments

Contact centres that take card payments over the phone frequently encounter scenarios where compensating controls come into play. For example, if call recordings capture card data and the recordings cannot be encrypted in the way PCI DSS prescribes, an organisation might implement compensating controls such as restricted access, enhanced monitoring, and automatic deletion schedules.

The challenge is that these compensating controls add layers of complexity to an already demanding compliance environment. Many organisations find that a more effective approach is to remove card data from the telephony environment entirely -- using DTMF suppression or similar technology -- so that the problematic requirements no longer apply and compensating controls are not needed.

Practical Advice

If you are considering compensating controls, start by asking whether the constraint that prevents you from meeting the original requirement can be resolved. Sometimes a system upgrade, a process change, or a different technology choice eliminates the need for a compensating control entirely. If a compensating control truly is the best path, invest the time to document it thoroughly and ensure it is reviewed regularly. A poorly documented compensating control is a compliance risk in itself.

Compensating Controls Under PCI DSS v4.0

PCI DSS v4.0 introduces the "customised approach" as an alternative to compensating controls in some situations. The customised approach allows organisations to meet the intent of a requirement using a different method, without the formal compensating controls process. However, it requires a more detailed assessment and is only suitable for organisations with mature security programmes. For many businesses, compensating controls remain the more practical option when a specific requirement cannot be met directly. Understanding the distinction between compensating controls and the customised approach -- and choosing the right path for your situation -- is something to discuss with your QSA or ISA.