Compensating Controls

A process used to mitigate risk when not able to meet a PCI DSS requirement.

Back to Glossary

Compensating controls may be considered when an entity cannot meet a requirement exactly as stated, due to either legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls. Compensating controls must:

  1. Meet the intent and rigor of the original PCI DSS requirement
  2. Provide a similar level of defense as the original PCI DSS requirement
  3. Be “above and beyond” other PCI DSS requirements (not simply in compliance with other PCI DSS requirements)
  4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement. See “Compensating Controls” Appendices B and C in PCI DSS Requirements and Security Assessment Procedures for guidance on the use of compensating controls.

Many organizations that fail to meet all requirements of PCI DSS are adopting the use of compensating controls, but this may not be an easy task, as it requires a lot of effort and turns out to be costly in the long run. These controls may also not be acceptable as a route to PCI DSS compliance in future. To learn more visit

Read more about compliance