A compensating control, also called an alternative control, is a mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at the present time. Compensating controls must meet four criteria. They should meet the intent of the original requirement with the same rigor as the original security requirement. Compensating controls should also provide a similar and adequate level of defense, a compensating control must go “above and beyond” other PCI DSS requirements, and they must be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
More information on Compensating Control
Would you like to learn more about compensating controls? Get a Governance, Risk and Compliance (GRC) demonstration of Rsam. Learn more about Rsam's innovations and view our GRC architecture videos.