Contact Global Locations
Scoping & Documentation ASV Scanning Contract & Liability Review PCI DSS Gap Analysis Risk Assessment Security Testing Compensating Controls Blackfoot Prioritized Approach Annual Data Security Assessment Payment Processing & Outsourcing
Virtual Security Officer (VSO) Incident Response ISO 27001 Document & Policy Creation Security Awareness Risk Assessment
Infrastructure Security Assessment Web Application Assessment Physical Security Assessment Secure Code Review Data Discovery Wireless Security Assessment Vulnerability Management
Blackfoot Blackbox SME Virtual Security Officer (VSO) Firewall Management Audit Log Management Intrusion Prevention/Detection
PCI DSS Training PA DSS Training Secure Software Development Security Awareness

Compensating Controls



Maligned and often misunderstood, Compensating Controls are there to help organisations that cannot meet a particular PCI DSS control due to business or cost constraints.
They should not be applied on a preferential basis and Blackfoot provide a formal Compensating Control Validation and Risk Assessment process to ensure they can be applied on a permanent basis if necessary.
Compensating Controls must satisfy the following criteria:
  • Meet the Intent and Rigor of the original PCI DSS Requirement
  • Provide a similar level of defense to the original PCI DSS Requirement
  • Be above and beyond other PCI DSS requirements
  • Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement
Examples of where Compensating Controls may apply are:
  • Wireless networks that do not support WPA
  • Legacy systems that do not support data encryption
  • Rollout of host based security controls is too expensive
Blackfoot's Compensating Controls are designed to be permanent and mitigate individual risk as intended by PCI DSS.