Compensating Controls Definition

Compensating Controls may be selected as a response in your questionnaire when you cannot meet a requirement explicitly as stated. See the PCI Council's definition of compensating controls below. The excerpt below is from the document PCI DSS and PA-DSS Glossary of Terms, Abbreviations, and Acronyms. This document is published on the PCI Security Standards Council's web site at:


"Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must:

1) Meet the intent and rigor of the original stated PCI DSS requirement;

2) Provide a similar level of defense as the original PCI DSS requirement;

3) Be "above and beyond" other PCI DSS requirements (not simply in compliance with other PCI DSS requirements); and

4) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement."


Additional information on the compensating controls criteria, including considerations when evaluating "above and beyond" for compensating controls, is available in "Appendix B: Compensating Controls" in each of the PCI Self Assessment Questionnaires from the PCI Security Standards Council's web site at: