How many compensating controls can I use in a PCI DSS assessment?

There is no limit, but excessive use raises concerns. QSAs will scrutinise environments with many compensating controls, as it may indicate systemic issues rather than isolated constraints. Most successful assessments have fewer than 5 compensating controls.

Do compensating controls expire?

They should be reviewed annually during each PCI DSS assessment cycle. If the original constraint no longer exists, the compensating control should be replaced with the standard requirement. QSAs will verify the constraint still exists each year.

Can I use a compensating control for any PCI DSS requirement?

Yes, compensating controls can be considered for any PCI DSS requirement where a legitimate constraint exists. However, some requirements are fundamental enough that finding an adequate compensating control is extremely difficult (e.g., Requirement 3.4 rendering PAN unreadable).

Who approves compensating controls — the merchant or the QSA?

The QSA evaluates and validates compensating controls during the assessment. The QSA must agree that the constraint is legitimate, the compensating control meets the intent, and the risk is adequately addressed. The QSA documents their evaluation in the ROC or SAQ.

What is the difference between a compensating control and a customised approach?

PCI DSS v4.0 introduced the customised approach as an alternative to compensating controls. The customised approach allows organisations to design their own controls to meet a requirement's objective, with a more rigorous validation process. Compensating controls remain available for constraints.

← PCI DSS 4.0.1 Compliance Guide

Compensating Controls

PCI DSS Compensating Controls: When and How to Use Them

Understand when compensating controls are acceptable, what documentation is required, and how QSAs evaluate alternative security measures under PCI DSS.

A comprehensive guide to using compensating controls correctly — including worksheet requirements, real-world examples, and the most common mistakes organisations make.

Document Your Controls Talk to a PCI Expert

A PCI DSS compensating control is an alternative security measure that satisfies the intent of a requirement when a legitimate business or technical constraint prevents implementing the requirement as stated. Compensating controls must provide a similar level of defence, go above and beyond other PCI DSS requirements, and be documented in a formal Compensating Control Worksheet reviewed by the QSA.

What Are Compensating Controls in PCI DSS?

Compensating controls are alternative security measures that organisations can implement when a legitimate technical or business constraint prevents them from meeting a PCI DSS requirement as explicitly stated. They are not a waiver, exemption, or shortcut — they are a formally documented alternative that must meet or exceed the intent of the original requirement.

Compensating controls are defined in PCI DSS Appendix B (Compensating Controls) and documented using the Compensating Control Worksheet format specified in Appendix C. The PCI Security Standards Council created this mechanism to recognise that real-world environments sometimes cannot implement a requirement exactly as written, while still maintaining a strong security posture.

To be valid, a compensating control must provide an equivalent or greater level of protection than the original requirement. It must address the risk that the original requirement was designed to mitigate, and it must go above and beyond what other PCI DSS requirements already demand. Simply implementing another existing requirement does not constitute a compensating control.

Critically, compensating controls are only valid when a genuine constraint exists. The organisation must demonstrate that a legitimate business or technical reason prevents standard implementation. Convenience, cost savings, or unwillingness to invest in the proper solution are not valid justifications for compensating controls.

When Compensating Controls Are Acceptable

Acceptable

Legitimate technical constraint

A legacy system that cannot support the required encryption standard, protocol version, or authentication mechanism due to platform limitations that cannot be resolved without full system replacement.

Business constraint

An operational requirement that prevents standard implementation, such as a manufacturing environment where system reboots for patching would halt critical production processes with significant safety or financial impact.

Documented and justified thoroughly

The constraint is clearly articulated, the compensating control is formally documented in a Compensating Control Worksheet, and the QSA can verify that the alternative provides equivalent or greater protection.

NOT Acceptable

Convenience

Avoiding a difficult implementation simply because it requires significant effort, organisational change, or technical expertise. Difficulty is not a constraint — it is a project management challenge.

Cost

Choosing a cheaper alternative without a genuine technical or business constraint. Budget limitations alone do not justify a compensating control unless the cost is truly prohibitive relative to the organisation's size and resources.

Laziness

Not wanting to implement the actual requirement because the team lacks motivation or prioritises other projects. PCI DSS requirements are mandatory, and unwillingness is never a valid justification.

Temporary workaround

Using a compensating control for a constraint that could be addressed permanently within a reasonable timeframe. If the underlying issue can be resolved, the compensating control should have a defined expiration and migration plan.

Compensating Control Worksheet Requirements

Every compensating control must be formally documented in a Compensating Control Worksheet (CCW) as defined in PCI DSS Appendix C. The worksheet must include the following elements:

Original requirement number and description

The specific PCI DSS requirement that cannot be met as stated, including its full requirement text and any relevant sub-requirements.

The specific constraint

A clear, detailed explanation of the legitimate business or technical constraint that prevents standard implementation of the requirement.

Objective of the original requirement

What the original requirement protects against — the security risk or threat that the requirement was designed to mitigate.

The compensating control itself

A detailed description of what the organisation is doing instead — the alternative security measure being implemented in place of the standard requirement.

How the compensating control addresses the risk

An explanation of how the alternative measure mitigates the same risk that the original requirement was designed to address, with equal or greater effectiveness.

Validation of above-and-beyond

Evidence that the compensating control goes above and beyond other existing PCI DSS requirements. The compensating control cannot simply be another requirement that the organisation is already obligated to meet.

Risk assessment

An evaluation of the additional risk that would exist if the compensating control were not in place, demonstrating the importance and effectiveness of the alternative measure.

Examples of Valid Compensating Controls

The following examples illustrate how compensating controls can be applied in real-world scenarios where legitimate constraints prevent standard implementation.

Legacy System Cannot Support TLS 1.2

Requirement 4

Constraint: A legacy mainframe system critical to payment processing cannot be upgraded to support TLS 1.2 without a full platform replacement that requires 18+ months.

Compensating controls:

Dedicated VPN tunnel with AES-256 encryption for all data in transit

Network segmentation isolating the legacy system from all non-essential connections

Enhanced monitoring with real-time alerting on all traffic to and from the system

Application-layer encryption of cardholder data before transmission

Shared Accounts Required for System Administration

Requirement 8

Constraint: A critical payment application only supports a single administrative account and cannot be modified to support individual user accounts.

Compensating controls:

Enhanced logging of all account activity with session-level attribution

Video monitoring of all administrative sessions on the system

Session recording with tamper-proof storage and 12-month retention

Management review of all administrative actions on a weekly basis

Physical Security Constraints Prevent Badge-Only Access

Requirement 9

Constraint: A data centre facility has a shared entrance with another tenant, and building management will not permit installation of badge-only access controls at the shared entry point.

Compensating controls:

24/7 guard presence at the facility entrance with identity verification

Strict visitor escort policy requiring authorised personnel accompaniment at all times

CCTV coverage of all entry points and sensitive areas with 90-day retention

Management review of access logs and CCTV footage on a weekly basis

Application Cannot Enforce Password Complexity

Requirement 8

Constraint: A vendor-supplied payment application does not support configurable password complexity rules and the vendor has no plans to add this functionality.

Compensating controls:

Shorter password expiry cycle (30 days instead of 90 days)

Account lockout after 3 failed authentication attempts

Multi-factor authentication required for all access to the application

Enhanced monitoring of authentication failures with real-time alerting

How QSAs Evaluate Compensating Controls

QSAs are responsible for independently evaluating each compensating control to determine whether it adequately addresses the risk and meets the intent of the original requirement. During the assessment, QSAs look for the following:

Is the constraint legitimate and documented?

The QSA verifies that the business or technical constraint is genuine, clearly documented, and cannot be reasonably resolved. The QSA may request technical evidence, vendor documentation, or architectural diagrams to validate the constraint.

Does the compensating control meet the intent of the original requirement?

The alternative measure must address the same security objective as the original requirement. If the requirement aims to prevent unauthorised access, the compensating control must also prevent unauthorised access through an equivalent mechanism.

Does it go above and beyond other existing PCI DSS requirements?

The compensating control cannot simply be another PCI DSS requirement that the organisation is already obligated to meet. It must provide additional security measures that exceed baseline PCI DSS obligations.

Is the risk adequately addressed?

The QSA assesses whether the compensating control effectively mitigates the risk that the original requirement was designed to address, considering the specific threat landscape and attack vectors relevant to the environment.

Is the Compensating Control Worksheet complete and accurate?

The QSA reviews the CCW for completeness, accuracy, and internal consistency. All required fields must be populated, and the documented information must align with the actual implementation observed during testing.

Would the compensating control withstand a real attack scenario?

The QSA considers whether the alternative measure would hold up under actual attack conditions. A compensating control that looks good on paper but would fail in practice does not satisfy the requirement.

Common Compensating Control Mistakes

Using compensating controls to avoid difficult implementations rather than for genuine constraints

Not documenting the business/technical justification thoroughly enough for QSA review

Implementing a compensating control that does not go above and beyond existing PCI requirements

Treating compensating controls as permanent when the underlying constraint could be resolved

How GRCTrack Helps

Compensating Control Worksheet templates aligned to PCI DSS Appendix C

Guided documentation workflow ensuring all required fields are completed

QSA review portal for assessor evaluation and approval of compensating controls

Tracking and expiration alerts for compensating controls that should be reviewed annually

Risk assessment integration linking compensating controls to your broader risk register

Related PCI DSS Resources

PCI DSS 4.0.1 Guide Scope Determination Evidence Requirements Network Segmentation Guide Assessment Process QSA Assessment Guide

Document Your Compensating Controls

GRCTrack provides Compensating Control Worksheet templates, guided documentation workflows, and QSA review portals — so your compensating controls are complete, compliant, and ready for assessment.

Create Free Account Contact Sales

PCI DSS Compensating Controls: When and How to Use Them

What Are Compensating Controls in PCI DSS?

When Compensating Controls Are Acceptable

Acceptable

NOT Acceptable

Compensating Control Worksheet Requirements

Original requirement number and description

The specific constraint

Objective of the original requirement

The compensating control itself

How the compensating control addresses the risk

Validation of above-and-beyond

Risk assessment

Examples of Valid Compensating Controls

Legacy System Cannot Support TLS 1.2

Shared Accounts Required for System Administration

Physical Security Constraints Prevent Badge-Only Access

Application Cannot Enforce Password Complexity

How QSAs Evaluate Compensating Controls

Is the constraint legitimate and documented?

Does the compensating control meet the intent of the original requirement?

Does it go above and beyond other existing PCI DSS requirements?

Is the risk adequately addressed?

Is the Compensating Control Worksheet complete and accurate?

Would the compensating control withstand a real attack scenario?

Common Compensating Control Mistakes

How GRCTrack Helps

Related PCI DSS Resources

Document Your Compensating Controls

PCI DSS Compensating Controls — Frequently Asked Questions