Which of the following is true regarding compensating controls?
A . A compensating control is not necessary if all other PCI DSS requirements are in place.
B . A compensating control must address the risk associated with not adhering to the PCI DSS requirement.
C . An existing PCI DSS requirement can be used as compensating control if it is already implemented.
D . A compensating control worksheet is not required if the acquirer approves the compensating control.
Answer: B
Explanation:
Compensating Controls Definition and Purpose
A compensating control is an alternate measure that satisfies the intent of a specific PCI DSS requirement and provides an equivalent level of security.
The rationale and risk mitigation must be explicitly documented using the Compensating Control Worksheet (CCW).
Mandatory Documentation
PCI DSS v4.0 mandates the use of a CCW when implementing compensating controls. This applies regardless of acquirer approvals.
The CCW requires detailed documentation including:
Constraints preventing the original requirement from being implemented.
Justification for the compensating control.
Description of the control and evidence of its effectiveness.
Using Existing Requirements
If an existing PCI DSS requirement (e.g., Requirement 5 for antivirus) is already implemented and can mitigate the risks of not meeting another requirement, it may qualify as a compensating control. Approval and Review Process
QSAs must validate the implementation, effectiveness, and appropriateness of compensating controls during the assessment process
Latest QSA_New_V4 Dumps Valid Version with 40 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund