4.1 Compensating Controls

00:00

welcome to the cyber E d Mystifying P. C. I. D. S s compliance course.

00:05

This module focuses on how to develop strategies to meet PC I compliance objectives.

00:11

This video focuses on the implementation of compensating controls to mitigate risks

00:17

in instances where the merchant can't meet the requirements do to constraints.

00:23

The learning objective is to explore the use of compensating controls in the CD

00:31

PC. I recognizes that there may be instances where the merchant is prohibited from meeting. Some of the requirements do too

00:39

legitimate problems.

00:41

The constraint maybe do tow business or technical reasons that prevent the implementation of a requirement as explicitly stated in the PC I standard.

00:50

So p c. I has put in place some flexibility for the merchant to meet the spirit of the requirement in different ways.

00:56

The flexibility is granted with compensating controls.

01:02

A compensating control is a work around for a security requirement.

01:06

It's another way to reach the objective of a specific security requirement without satisfying the requirement itself.

01:12

In other words, it's a plan B to meet a requirement.

01:15

Understanding the requirement and its objectives is therefore of the utmost importance in choosing and evaluating a compensating control.

01:26

The PC idea says, says that compensating controls will be considered for most requirements but does not specify exactly which requirement and won't consider them for

01:37

previously only requirement 3.2, which is the prohibition of storing sensitive authentication data after authorization, was prohibited from having a compensating control apply to it.

01:49

But now there's some information floating out there that says even that one could have some compensating controls around them.

01:55

So there's more ambiguity.

01:57

But as a merchant, you should probably really try to stay away from trying to apply a compensating control to this requirement.

02:06

In orderto leverage, a compensating control, the merchant must provide that the roadblock to implementing the requirement is temporary due to a legitimate technical or business constraints.

02:16

Temporary is a key word here because work around should never be permanent.

02:21

You need to regularly assess to see how the problem can be solved. To meet the mandate from P. C. I.

02:28

Every year you're compensating, control will be scrutinized by your assessor, and changing conditions could be a threat to your compliance.

02:37

Legitimate is another ambiguous word that is completely left up to interpretation.

02:43

You will not win any leniency if you try to use the price of implementation as a legitimate reason.

02:49

However, if you're running a mission critical systems on software that's no longer supported, then you are more likely to garner sympathy from your assessor.

02:58

You need to be able to demonstrate that your hands are tied at the moment, but they will no longer be in time,

03:02

price or lack of expertise. They're not excuses that will allow you to get by.

03:09

Compensating control must meet the intent of the requirement it's supposed to replace.

03:15

You must have the same or higher level of protective measures and without introducing any other major risks to the environment.

03:25

Every compensating control must be supported by a risk analysis and it must be documented.

03:31

PC I provides this compensating control worksheet as an appendix to the P. C. I. D. S s guy.

03:38

This worksheet will be included in the report submitted by our que Essa.

03:43

You need to define what's keeping you from meeting the requirements as stated

03:46

what the original objective of the control is,

03:50

what risk is associated with your compensating control.

03:53

Any explanation of your compensating control,

03:58

how the control was validated

04:00

and how you're going to maintain the compensating control.

04:03

The PC High Council then gives you an example of what it looks like to fill in the worksheet and an acceptable manner.

04:13

As a merchant, you have to be aware that most auditors air risk averse.

04:17

They understand that if they sign off on the compensating control, another auditor may come in after them. And Dean, you're compensating control. Insufficient.

04:27

The audit process may not allow the time for auditor to do a thorough risk assessment of your compensating control to determine its impacts.

04:34

So a lot of auditors try to dissuade merchants from using compensating controls.

04:40

I say that to say that you must be prepared to thoroughly defend the use of your compensating controls prior to the audit.

04:48

And here's just a symbolic picture of the ambiguity around compensating controls between merchants que essays and the P C I s S E.

04:58

So I would I would recommend that you stay away from compensating controls unless absolutely necessary, simply because there's very little uniformity around them.

05:08

There have been some. Qs is petitioning the PC High Council to publish more examples of acceptable compensating controls to help make it clear for the merchants and the auditors.

05:19

So in this video we discussed compensating controls and when to implement them.

05:24

We also talked about how to justify your compensating controls to your auditor.

05:30

Now for quick wits,

05:31

this is a valid reason for compensating control,

05:35

lack of funding,

05:38

lack of personnel,

05:39

lack of vendor support

05:41

or lack of organizational support.

05:47

If you're running a mission critical application that is no longer supported by the vendor, you can develop compensating controls to address PC I requirements.

05:58

True or false?

06:00

Compensating control is meant to be a permanent solution to meet a PC. I requirement

06:06

this one's false because compensating controls are only meant to be temporary.

06:14

Every compensating control must be supported by

06:17

a risk analysis

06:19

business Justification.

06:21

Support of meeting the requirement objective.

06:24

We're all of the above

06:29

all of the above.