The PCI Security Standards Council (PCI SSC) has released a new information supplement, PCI DSS v4.x: Guidance for Compensating Controls and the Customized Approach. The document provides practical guidance to help assessed entities and assessors navigate two options in PCI DSS v4.x that provide flexibility but are often misunderstood – the use of compensating controls and the customized approach. PCI SSC developed this guidance in collaboration with industry stakeholders, including the Global Executive Assessor Roundtable (GEAR) and the Board of Advisors (BOA).
PCI DSS v4.x offers organizations two paths to implement and validate PCI DSS requirements: the defined approach and the customized approach. These two approaches have different intents, elements, documentation, and validation. Compensating controls, an option within the defined approach, serve a different purpose from the customized approach. Unlike compensating controls, which are used when organizations have a technical or business constraint and are unable to meet the requirement as stated, the customized approach is for entities that choose to meet the requirement differently than is stated.
Highlights Include:
- Compensating Controls are Not the Same as the Customized Approach: Compensating controls apply when an organization cannot meet a defined requirement due to a legitimate technical or business constraint. The customized approach is for entities that choose to meet a requirement differently by satisfying its stated Customized Approach Objective through a novel control design.
- The Customized Approach is for Risk-Mature Organizations: The customized approach is not universally appropriate. It is designed for entities with robust risk management practices - including dedicated risk management functions and the internal capacity to design, implement, document, test, and maintain their own controls over time.
- Documentation Quality is Critical: Entities are encouraged to prepare clear, complete, and well-structured documentation for their compensating or customized controls. If an entity’s documentation is incomplete, an assessor may be unable to validate that a control is in place and operating effectively. Documentation is expected to clearly demonstrate how objectives are met and how risks are addressed, without relying on undocumented context.
- Assessor Independence Must Be Preserved: Assessor independence is a fundamental tenet of PCI DSS assessments and applies equally to compensating controls and customized implementations. The assessed entity is responsible for the development, implementation, and maintenance of the control. An assessor involved in designing or implementing a control cannot also assess that same control.
- Both Options Can Coexist for the Same Requirement: Entities can use compensating controls for some system components and the customized approach for others - even for the same PCI DSS requirement. Each instance must be documented separately, and each must satisfy the applicable objectives.
The new guidance document addresses the roles of both assessed entities and assessors, and provides references and supporting materials, including an Appendix with a variety of completed examples of compensating control and customized approach templates.
Organizations undergoing PCI DSS assessments should review this information supplement, which is now available in the PCI SSC Document Library. Entities planning to use either approach should work with the organization(s) that manages their compliance program, such as an acquirer (merchant bank), payment brand, or other entity, to understand the entity's compliance validation and reporting responsibilities.
