Compensatory Security Controls: The Alternative Solution

Compensatory Security Controls The Alternative Solution

In the modern-day threat landscape, organizations cannot sit back and wait for an attack to happen. They need to implement a comprehensive security program covering their people, process, and technology to prevent cyberattacks. At the same time, they need to ensure that if the attackers break into the organizational network, there are sufficient controls in place to minimize the damages and prevent any further intrusion. In this series of articles on security controls, we have covered various types of security controls such as preventive, detective, corrective, and compensatory.

Organizations implement preventive security controls to defend their IT infrastructure against ever-evolving threats and attacks. Preventive controls include measures such as endpoint protection and multi-factor authentication. When preventive controls fail, detective controls are responsible for detecting unauthorized activities in minimum possible time. Detective controls include intrusion detection system (IDS), anti-virus software, and logging & monitoring solutions like Security Information and Event Management (SIEM). When a security incident has occurred, and it has been detected, corrective security controls help in restoring the affected systems or resources to their original stage.

What are compensatory security controls?

While it is easy to understand the relationship between preventive, detective, and corrective controls, compensatory controls are slightly different in terms of their scope and applicability. Put plainly; compensatory controls provide an alternate solution to a security or compliance requirement that is not feasible to be implemented in essence at this point in time.

It is easy to understand compensatory security controls in the context of PCI DSS (Payment Card Industry Data Security Standards). PCI SSC (Payment Card Industry Security Standards Council) introduced compensatory controls in PCI DSS v1.0 and specified that compensatory controls that implement alternative measures must fulfil the following criteria:

  1. It must meet the intent and rigor of the original requirement.
  2. The level of defense must be similar to that of the original requirement.
  3. It addresses the additional risk introduced due to non-fulfilment of the original requirement.
  4. It should go beyond the PCI DSS requirements.


LIFARS Compliance Advisory is designed to understand your compliance needs, ascertain current status, provide remediation guidance, and conduct a post-remediation assessment to ensure compliance with regulatory mandates such as GDPR, CCPA, PIPEDA, FFIEC, NYDFS, HIPAA, HITRUST, PCI DSS, and SOX.


Understanding PCI DSS criteria for compensatory security controls

To fulfill the first criterion, an alternative solution must provide the same or better protection to IT infrastructure as the original control would have. For example, one of the PCI DSS requirements is to maintain a firewall to protect cardholder data. Consider a scenario when your organization does not have a firewall. The thought process behind this requirement is to ensure that cardholder data remains protected from attackers and unauthorized internet access. Meanwhile, the firewall is setup and available; you must implement adequate security measures to protect the cardholder data by giving the same level of protection as provided by a firewall. This temporary arrangement is an excellent example of how compensatory controls function.

The second criterion is similar to the first one in practical implication. Suppose a compensating control is not able to minimize the level of risk better than the original control. In that case, there are chances that it might be termed as ineffective in independent assessments.

In line with this, the third criterion expects organizations to ensure that a compensatory control addresses risks introduced due to non-fulfilment of original requirements. If a compensatory control results in a higher risk than the actual requirement, this criterion will not be satisfied.

The fourth criterion states that a compensatory control should also go beyond the PCI DSS requirements; instead of merely satisfying another given requirement. PCI SSC expects that organizations cannot use primary control for one requirement as a compensatory control for another requirement. However, in one of the guidance documents, it has clarified that it is possible to consider primary controls for an existing requirement as compensatory controls for another requirement in particular cases. For example, PCI DSS requires two-factor authentication (2FA) for remote access. Consider a situation when the existing infrastructure cannot support the transmission of an encrypted password for internal access. As a result, the organization makes it mandatory to authenticate using 2FA even for internal access. Here, 2FA is adequate compensatory control.

Ending notes

In our PCI DSS consulting engagements, we have come across multiple instances where organizations were under the impression that they have implemented adequate compensatory controls. However, after initial discussions, our findings were contradictory. To address the gaps, our experts helped in designing an effective set of controls to meet their compliance needs. At LIFARS, our proprietary systematic process has been enriched with over 20 years of experience, including some of the most high-profile engagements across the globe. Our methodology outperforms our competitors in the length of engagement and quality of work. It relies on standards such as OSSTM, OWASP Top 10, ISO 27001 best practices, and NIST 800-30, among others. Request a FREE consultation from LIFARS here.