For organizations that are unable to comply with the PCI DSS requirements as they are written, the PCI Security Standards Council (SSC) has provided a way to meet these requirements through the documentation of compensating controls.

Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a technical  specification of a requirement but has sufficiently mitigated the associated risk. According to CS Magazine forty-one percent of merchants are relying on compensating controls to meet PCI DSS requirements

With compensating controls, it’s important to have a clear understanding of the specific PCI requirement and its intent. This helps organizations recognize how the requirement affects them so they can work towards minimizing risks, and is considered to be a viable path to compliance.

PCI compensating controls require a significant amount of examination and process. When properly designed and maintained, these controls become another way for organizations to achieve and maintain PCI compliance.

As defined by PCI DSS, for a compensating control to be valid, it must satisfy the following criteria:

1. Meet the intent and rigor of the original PCI DSS requirement.
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating control sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against.
3. Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements).
4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement.

Compensating controls can be used for almost all the PCI requirements. A proper implementation of compensating controls consist of the following steps:

Compensating controls are temporary solutions for compliance gaps that should be assessed annually to ensure that they meet the four criteria listed above. They may help companies lower the bar of compliance in the short term. These however, are not shortcuts to compliance and in many cases they are harder to implement and cost more money in the long run than actually addressing the compliance requirement

For organizations that choose to implement compensating controls for PCI compliance with Google Docs, CloudLock can help by providing IT:

• Vsibility and control of access rights for all documents in the domain (even those they are not collaborating on).
• The ability to enforce access controls by changing and fixing permissions on all documents in the domain. All changes are tracked in a tamper proof audit log.
• The ability to reassign document ownership in bulk from users that have left the company. Once the document’s ownership is transferred, users can be removed from the domain.
• Ongoing monitoring and alerting of any change to access rights with a full history of all permissions changes for all documents in the domain. All permissions changes performed by IT admins are also logged.