Will the PCI Security Standards Council "approve" my organization's implementation of compensating controls in my effort to comply with the PCI DSS?
The PCI Security Standards Council (PCI SSC) is not able to approve specific configurations or compensating controls since we are not onsite doing the assessment and are therefore not able to understand and review the total security environment. Each individual approved as a Qualified Security Assessor (QSA) is trained by the PCI SSC regarding the underlying intent of PCI DSS requirements and the evaluation of compensating controls. QSAs are responsible to determine whether a compensating control is sufficient to meet the intent of a requirement during their review of all other controls in place to satisfy PCI DSS requirements. We recommend that you contact a QSA to review your environment and assist in evaluating any compensating controls you may have in place for meeting the intent of PCI DSS requirements.
Article Number: 1046