Four misconceptions around compensating controls

As the New Year celebrations come to a close, the deadline to become compliant with the EU’s new consumer protection regulation GDPR is creeping closer. With this new law coming into effect in late May, businesses around the world are running out of time to prepare or else risk facing reputation and financial ruin.

The best preparation will include companies phasing out the use of compensating controls to ensure proper compliance and the health of their company. Many businesses will inquire as to why they should get rid of the controls as these solutions have been working well for them to date. However, they should be warned that these make do solutions won’t work for them long term or protect the business from legal and financial consequences should something go wrong.

Here are the top four misconceptions around the use of compensating controls to adhere to PCI DSS.

They will prevent security breaches

Relying on compensating controls will not help prevent fraud or security breaches. Research conducted by Verizon in 2017 showed a strong and direct correlation between the organizations that suffered a breach of security and the use of compensating controls. In fact, of all the payment card data breaches Verizon investigated for the annual report, a stunning 0 percent of the organizations were found to be fully compliant with PCI DSS at the time of breach.

The best fix for this issue that comes to mind involves the storage of valuable consumer data in company systems. Rather than investing time and money in protecting data from would-be hackers, simply make sure there’s nothing available to steal. The less customer data stored, the less risk there is of that data being stolen. Instead of blurring the screen, tools already exist to allow businesses to store code tokens instead of personal card information.

A breach, whether driven by an outside cyber hack, an irresponsible internal employee, or even a or malicious former employee, will tarnish the business’ reputation and result in financial penalties. As GDPR comes into play for breaches, this kind of de-scoping will prove to be a wise long-term compliance strategy.

They are just as good as a complete PCI DSS compliant solution

Equally, the often relied on control measures, such as pause and resume, clean rooms and screen blurring, provide a partial solution but don’t fully embody a complete PCI DSS compliant solution. Part of the process during every annual assessment is to review all compensating controls to ensure that they meet the PCI Security Standards Council requirement, the original business or technological constraint still exists, and it proves to be effective in the current security threat landscape.

If there happens to be an increase in a certain types of attack and the compensating control is not effective in preventing damage with those kinds of attacks, it may not pass the next Qualified Security Assessor (QSA) assessment. Companies who are fully compliant don’t need to prove their solution’s effectiveness or spend time documenting the reasons why they are not able to be fully compliant thus saving the company’s resources – time and money that could be spent elsewhere.

It’s a shortcut to compliance

Compensating controls are not a shortcut to compliance or a free pass on compliance. Instead companies are finding that most compensating controls are actually more expensive in the long run. Worse still, they can often prove harder to implement than actually addressing the original vulnerability in the first place.

Although they can be legally used for almost every requirement of the PCI DSS, brands should calculate the cost to implement the compliant solution before automatically jumping to compensating controls and also consider future potential costs. If companies are not compliant and a hack occurs, they can face compensation and remediation costs, legal fees, federal audits and of course lost revenue. For example, Target’s profits dropped $440 million in the fiscal fourth quarter following the news of the security breach.

A compensating control will be effective in all environments

Many companies operate under the belief that a compensating control that works in one environment will work just perfectly well in another. That’s a dangerous falsehood that could leave the company at risk of security hacks, or even failing the mandatory QSA assessment and having to spend more money to fix the issue. Compensating controls are intended to be created by companies to address the specific requirement of PCI DSS they cannot adhere to. That doesn’t mean that solution should be spread across their entire ecosystem. If one must use compensating controls, they should be bespoke to the requirement and the company issue.

Compensating controls are not intended to fix gaps in PCI compliance. At best they are a band-aid until the company is able to completely triage the issue. At worst, they are a quick route to a sizeable fine, and they should never be implemented as a permanent solution. Being fully compliant with PCI DSS, and soon enough GDPR, is vital for the survival of businesses, from both a reputation and financial perspective. Although, compensating controls can be tempting to implement, they are going to hurt businesses in the long term.