Are there alternatives, or compensating controls, that can be used to meet a requirement?
If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined in PCI Data Security Standards. Compensating controls should meet the intention and rigor of the original PCI Data Security Standards, and should also be examined by the security assessor as part of the regular PCI Data Security standards compliance audit. Compensating controls should be “above and beyond” other PCI Data Security Standards, and should not simply be in compliance with PCI Data Security Standards.
If a requirement is not, or cannot, be met exactly as stated, compensating controls can be considered as alternatives to requirements defined by the PCI DSS. Compensating controls should meet the intention and rigor of the original PCI requirement, and should be examined by the assessor as part of the regular PCI compliance audit.
Related Questions
- What kind of experiences can be used to meet the 150 hours of contact with children requirement for application to the Teacher Education Program?
- Are there alternatives, or compensating controls, that can be used to meet a requirement?
- Could two partial years of CME activity be used to meet the CME requirement?
