Compensating Controls - Quick Fix at High Cost: Taking "the Easy Way Out" to Satisfy PCI DSS Requirement #3 Carries its Own Risks By Gary Palgon, Vice President of Product Management, nuBridges, Inc.

What constitutes a compensating control? Let's take a look at the four relevant clauses of version 1.2 of the PCI DSS standard.

The compensating control must...

1. Provide additional segmentation/abstraction - for example, at the network layer
2. Provide ability to restrict access to cardholder data or databases based on the following criteria: IP address/MAC address, application/service, user accounts/groups, data type (such as packet filtering)
3. Restrict logical access to the database -- independent of Active Directory or Lightweight Directory Access Protocol (LDAP)
4. Prevent/detect common application or database attacks

Meeting the Spirit of the PCI DSS is No Longer Enough
Network access control such as a data auditing device that can passively audit access and alert on violating access will achieve the spirit of compensating control for database encryption. The key phrase here is "...will achieve the spirit of compensating control. . ." But that's not actually what the PCI Security Standards Council had in mind when it set forth this special and temporary provision of PCI DSS.

According to Rob Russo, general manager, PCI Security Standards Council, a compensating control has to exceed the relevant PCI DSS requirement. "The standard is the baseline," says Russo. "If you have a compensating control you want to submit, it has got to be above and beyond what the standard is calling for."

Compensating controls are not intended to be permanent solutions. The standard specifies that "...only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use of compensating controls to achieve compliance." Taking shortcuts or applying loose interpretations could come back to haunt merchants, with significant legal and operational consequences. To reduce risk of liability, security professionals should err on the side of interpreting the PCI Standard literally and narrowly. The further a merchant moves from a strict interpretation of PCI DSS, the more litigation leverage a plaintiff's attorneys will have following a breach, and the more likely the merchant's interpretation will be deemed "unreasonable" in the eyes of the judicial system.

The PCI DSS Defines a Compensating Control as Meeting Four Requirements

• Meet the intent and rigor of the original requirement
• Repel a compromise attempt with similar force
• Be above and beyond other PCI standard requirements
• Be commensurate with the additional risk

A Closer Look at Compensating Controls

• Compensating controls add dependencies and typically require human intervention. Relying on compensating controls introduces weaknesses in the security process since there are no proactive security measures in place - only the ability to react once a breach actually occurs.
• Controls are tactical, not strategic. Compensating controls are normally used as a last resort until the required technology can be implemented.
• When a Report of Compliance (ROC) is received by the PCI Security Standards Council that includes compensating controls, they are scrutinized much more stringently than those that have implemented security techniques.
• Compensating controls tend to lack the logging capabilities that are required for proper forensic analysis and/or to meet regulatory compliance requirements.
• Compensating controls are strictly situational. A specific series of events must occur for them to be effective. Any deviation - whether technically or socially engineered - tends to become ineffective.
• Compensating controls must be tested and constantly re-tested to ensure they are effective. Typically re-testing is not done routinely enough to prevent security breaches, since it is resource-intensive and requires constant vigilance.
• Compensating controls must provide protection "above and beyond" the intended criterion. In other words, the goal is not to simply do enough to pass an audit, but to surpass the required measure provided in the audit.
• In the PCI DSS 1.2 criteria related to compensating controls, the council mandated dual controls when a technology is not in place. For example, in 2009 companies would almost have to double the amount of work required to maintain their compensating controls - adding management and administrative costs to your data protection infrastructure.
• The assessment/decision should be viewed from the corporate risk perspective as well as the economic-impact perspective. The organization must move to completely secure the data or accept the substantial exposure in terms of cost, reputation and business continuity.

There is a manner of eliminating the impact of data breaches to nearly zero, and that's encryption. It's also a very effective way to completely eliminate the need for compensating controls in many cases.

nuBridges is exhibiting at Infosecurity Europe 2009, the number one industry event in Europe, held on April 28-30, 2009 in its new venue - Earl's Court, London. The event provides an unrivalled free education programme, where exhibitors showcase new and emerging technologies and offer practical and professional expertise. For further information please visit www.infosec.co.uk.

To review PCI DSS 1.2, please visit:
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.doc