PCI compensating controls: Loopholes or lifesavers?

Compensating controls enable organizations to meet the intent of PCI requirements without breaking business processes -- or the bank.

As compliance with the Payment Card Industry Data Security Standard (PCI DSS) has become more complex, an increasing number of businesses rely on compensating controls to satisfy requirements they'd otherwise have no way of meeting.

Designed to enable companies to comply with the spirit and intent of the requirements, compensating controls have also become something of a hot-button issue as some assessors question whether organizations are using them as a loophole when a control is otherwise too costly to implement. Although, version 1.1 of PCI DSS, released in 2006, somewhat closed the loophole when the council declared compensating controls could not be used unless an organization already failed one assessment.

Compensating controls

Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.
Compensating controls must:
1) Meet the intent and rigor of the original stated PCI DSS requirement;
2) Repel a compromise attempt with similar force;
3) Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); 
4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.

Source: PCI DSS v1.1

In practice, there are only two reasons for a company to use a compensating control: a business or technical constraint, or a physical impossibility to implement a primary control. For example, a retailer with 5,000 locations would have a physical problem deploying encryption on all its legacy point-of-sale systems, resulting in the use of a compensating control, says James DeLuccia, a PCI expert and author of IT Compliance and Controls.

But some companies need to do a better job understanding the intent of the primary
control before deploying something else and calling it a compensating control. Often, they fail to provide good documentation described in the compensating controls worksheet that identifies and supports how the cardholder data will be protected using a different method, DeLuccia said.

PCI compliance checklist
Companies should begin by identifying the issues that may preclude compliance with the requirement, DeLuccia said. Then define the objective being met by the compensating control and conduct a risk analysis to determine any additional risks. Test, document and explain how the compensating control meets the objective. The explanation should address how it meets the original objective and the identified expanded risks, DeLuccia said.

"PCI requires seven-character passwords. Some people have mainframes that don't allow passwords longer than six characters, so you automatically can't satisfy that without replacing the mainframe," said Michael Gavin, a security strategist at Security Innovation Inc. and a Qualified Security Assessor (QSA). "A compensating control is if you can force all connections to go through an authentication phase before the password. That meets the requirement."

The current process for an assessor to approve PCI compensating controls introduces potential problems. Organizations may change auditors year after year, so a level of uncertainty exists in the acceptance of these controls, DeLuccia said. Also, it is in the auditor's interest to accept the compensating control, because he serves the client and has an incentive to accept it. Finally, DeLuccia said compensating controls require more mature control environments. This could mean additional processes and technologies to fully address the risk.

"A common mistake is thinking that compensating controls are temporary -- not necessarily. They may remain in place so long as they satisfy the risk appropriately," DeLuccia said.

Don't forget to document compensating controls
In recent months, the PCI Standards Council addressed the methodology of determining and documenting compensating controls and that is creating better transparency. This is better for everyone involved because it protects the QSA from accepting a set of compensating controls with less risk, while ensuring payment operators are not singled out and penalized unnecessarily, DeLuccia said.

Roger Nebel, an independent PCI DSS auditor and director of strategic security at FTI Consulting Inc., agrees that PCI compensating controls should be chosen very carefully and always be well documented. The company should understand the strength of the primary control and what it's intended to do. Once implemented, an assessor has to evaluate whether the compensating control meets the objective of the primary control and whether other entry points are opened to the sensitive data, Nebel said.

Still, whether a compensating control passes muster will be up to each individual assessor and ultimately the strength of the organization's documentation.

"They certainly need to be reviewed every year. As long as you are meeting the intent
of the requirement as stated, it's normally OK," Gavin said. "The real purpose is to allow people to be compliant without forcing them to buy new products. If you have to be compliant, meeting the letter could cost you a fortune and the controls are an acknowledgement that people were doing security before and maybe what they were doing was good enough and can be augmented."

The PCI Security Standards Council is trying to address the inconsistencies among
qualified security assessors (QSAs). It's developing a training program and an assessor evaluation program. An assessment team appointed by the council will evaluate feedback from merchants on assessors. Negative feedback could result in probation and revocation process for assessors.

Experts say that as the standard evolves, the use of compensating controls will become less clouded. Although it's not an official compensating control, Nebel points out that network segmentation is one form of a compensating control. Segmenting shouldn't be taken lightly, he said. Sometimes company executives believe they have segmented off the cardholder data, but the QSA discovers entry points to the main network.

"You're narrowing down the scope of the systems you're going to look at," Nebel said. "You're isolating the cardholder data from normal network activity either through a VLAN or a firewall."

Nebel evaluated a service provider that claimed its cardholder environment was segmented. But after reviewing the documentation and assessing the controls in place, Nebel found the environment could be accessed administratively from certain workstations.

"There's a whole set of controls for remote management that requires communications
to be encrypted and two-factor authentication," Nebel said. "They thought everything was fine, but it wasn't."

A preview of PCI virtualization specifications

The PCI Data Security Standard has little to say about virtualization – for now. Michael Cobb explores which best practices are likely to appear in the council's upcoming clarification document.

While network segmentation helps reduce the scope of a project, other areas, including PCI requirement 6.6, could be an area where compensating controls help meet the requirement, said Mike Rothman, president and principal analyst of Security Incite. PCI requirement 6.6 gives two options for protecting Web applications -- application code reviews and Web application firewalls.

For the best protection, the PCI Security Standards Council recommends using both methods. But securing Web applications is difficult and while some organizations could look at Web application firewalls as the answer, others will look for alternatives to satisfy the requirement, Rothman said.

"When an in-depth code review or alternative measures may not be feasible, some
folks may try to get creative," Rothman said.

Assessor has final say
Rothman agrees that ultimately the success or failure of implementing a compensating control will come down to the judgment and experience of the assessor. A company that has its credit card data protected by several layers of security and can only be accessed by an internal person with the proper administrative controls will likely meet the encryption requirement via a compensating control, but it will all come down to the assessor's judgment, Rothman said.

"It's up to the experience and capabilities of the assessor to really distinguish whether
a compensating control really does solve the problem," he said. "Companies will still want to go through the process and look at it from an attack vector standpoint and ensure that nothing was missed."

There are no generic answers -- every company has a slightly different environment
around credit card transaction systems -- so that's why compensating controls are unacceptable for the first assessment, Rothman said. The PCI Data Security Standard lays that out, saying that companies should be aware that a particular compensating control will not be effective in all environments.

"I look at everything with a skeptical eye. As a QSA, I have to look for weaknesses and make sure things are implemented and managed properly. Is this control adequate? Does it meet the requirement?" Gavin asked. "To me, the intent is to improve everyone's security to a certain level. If it's cheaper, that's OK."

Read more on Regulatory compliance and standard requirements