PCI and the Art of the Compensating Control
Compensating controls are a standard part of any security posture. But what makes an effective compensating control?
By Branden Williams
March 15, 2010 — CSO —
This guide to compensating controls is excerpted from chapter 12 of PCI Compliance by Dr. Anton Chuvakin and Branden Williams (Syngress, 2009). For a full sample chapter, see http://www.pcicompliancebook.info/
Information in this chapter:
- What is a Compensating Control?
- Where are Compensating Controls in PCI DSS?
- What a Compensating Control Is Not
- Funny Controls You Didn't Design
- How to Create a Good Compensating Control
Few payment security professionals can find a hotter PCI DSS topic than compensating controls. They always look like this mythical accelerator to compliance used to push PCI Compliance initiatives through completion at a minimal cost to your company with little or no effort.
Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another. There is no guarantee a compensating control that works today will work one year from now, and the evolution of the standard itself could render a previous control invalid.
The goal of this chapter is to paint a compensating control mural. After reading this chapter, you should know how to create a compensating control, what situations may or may not be appropriate for compensating controls, and what land mines you must avoid as you lean on these controls to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS).
What is a Compensating Control?In the early years of the Payment Card Industry Data Security Standard (PCI DSS), and even one author's experience under the CISP program, the term compensating control was used to describe everything from a legitimate work-around for a security challenge to a shortcut to compliance. If you are considering a compensating control, you must perform a risk analysis and have a legitimate technological or documented business constraint before you even go to the next step. Companies being assessed will present more documented business constraints for review based on the current economic situation. Just remember the word legitimate and the phrase perform a risk analysis before proceeding to the next step. 'Bob' being on vacation is not a legitimate constraint, and an armchair review of the gap and potential control is not a risk analysis. Qualified Security Assessors (QSAs) should ask for documentation during a compliance review, and having it ready to go will make sure you are efficiently using their time. If they do not, you can bet that your assessment is not thorough.
Every compensating control must meet four criteria before it can be considered for validity. The four items that every compensating control must do are: meet the intent and rigor of the original PCI DSS requirement, provide a similar level of defense as the original PCI DSS requirement, be "above and beyond" other PCI DSS requirements, and be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. If you think compensating controls are easy, please re-read the above statement.
The compensating control polygon has four specific points that must be met. For a compensating control to be valid, it must:
1. Meet the intent and rigor of the original PCI DSS requirement;
2. Provide a similar level of defense as the original PCI DSS requirement;
3. Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and
4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.
For an example of a completed compensating control, review Appendix C of the PCI Security Assessment Procedures.
An example of a valid control might be using extra logs for the su command in UNIX to track actions executed under a shared root password. In rare cases, a system may not be able to use something like sudo to prevent shared administrator passwords from being used. Keep in mind, this is not a license to use shared passwords everywhere in your environment. Nearly every system has the ability to use something like sudo, or "Run As" which is free or built into your OS, or a commercial variant if your platform requires this.
As stated earlier in this section, before immediately running down the compensating control route, be sure that you have done your research and make sure that you legitimately meet all of the requirements for a compensating control. Five years ago, compensating controls were relied on because most platforms did not have readily available solutions to certain components of the PCI DSS. That's not true today. As a rule of thumb, if the operating system can meet the patching requirements in 6.1, it will likely have everything you need available for it (possibly in later versions) to comply with PCI DSS.