The payments industry is going through a significant evolution, one that started to gain momentum over the past few decades. Preferred payment methodologies changed drastically from check to credit card to digital payment, which ultimately raised the importance of payment security. Needless to say, achieving compliance with PCI DSS industry requirements is critical to the success of an organization and critical in helping that organization maintain trust with their partners and customers.

When gaps are discovered in a PCI DSS assessment, what does an organization do? What steps does it need to follow to achieve compliance? And how are organizations monitored to ensure the gaps are effectively addressed?

The short answer: compensating controls. Compensating controls is what we see most organizations leverage to address control gaps during an assessment. Compensating controls, however, lack transparency. After all, there are no guidelines or requirements for an organization to disclose specifics around any gaps within the attestation or that would  clearly indicate an organization leveraged compensating controls as a corrective measure.

This is one of the primary reasons we believe a shift is coming to the payments industry, and the future of the industry is one that will be rooted in transparency and accountability.

To understand the impact this potential change will have, let’s explore how organizations have historically leveraged compensating controls and how increasing transparency has the potential to change the industry for the better.

What Are Compensating Controls?

The PCI Council explains compensating controls “may be considered when an entity cannot meet a requirement explicitly as stated due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.”

Basically, compensating controls currently provide organizations with an alternate way to achieve industry requirements when they are otherwise unable to do so. Compensating controls are great, in theory, given they allow organizations some flexibility to address legitimate constraints they might have preventing their ability to meet a control as stated but also ensure there are adequate controls in-place to mitigate the risk of not having the original control in-place as it was stated in the standards.  In addition, it has allowed organizations to put a corrective action into place to address issues and prevent a “con-compliant” report.  This has helped merchants to prevent non-compliance fees and service providers from impacting a customer’s trust which could result in customer churn. This also ensures they can avoid a “non-compliant” report, which could result in customer churn.

However, compensating controls have been overutilized, and primarily used in a way they weren’t technically designed for. It’s why we at A-LIGN believe that the industry relying on compensating controls to address gaps in an organization’s (particularly Service Providers) PCI compliance efforts is a bad practice for two primary reasons:  They cover up underlying issues that may need to be addressed, and the service prover’s clients are kept in the dark that there were control gaps.

The Weakest Link: People Processes

One way in which compensating controls are misused is their broad application to cover flawed processes within an organization. We see compensating controls come into play often with things like vulnerability scanning and semi-annual firewall reviews. These are relatively simple and straightforward processes. Often, it’s not the scanning or technology reviewed that is missing the mark — it’s a problem with the related people processes and specifically a lack of both oversight and accountability. The people who are supposed to manage these processes and ensure they get done are not properly trained or monitored.

The people processes that lie behind the steps to maintain PCI compliance throughout the year can easily be overlooked. Organizations don’t take the time to ensure these people processes are properly in place. Instead, they rush to implement a compensating control to cover the issue. But this only remedies a symptom, it doesn’t cure the illness.

Customer Confusion

Compensating controls are also not properly reported to customers. Many times, customers are left unaware that control gaps exist or they only know an organization had utilized a Compensating Control, but they don’t have the details of the “why” behind its use”. This is because PCI DSS standards, as they currently exist, do not require any specifics around compensating controls or corrective actions be disclosed to a partner or customer. There is no process that requires an organization to be transparent about compliance issues or gaps they need to correct.

As a result, a customer of a service provider is unaware they could be working with an organization that lacks a necessary security requirement or the proper people processes to maintain a given requirement, opening them up to increased risk. And there’s little urgency in many situations for the organization to address those issues.

Transparency is the Way

We believe more transparency in reporting will raise the caliber of organizations within the industry. Organizations will feel a greater sense of urgency and commitment to fix underlying issues and mature their compliance programs if issues are promptly documented and reported via an attestation report.

After all, transparency often comes with a healthy side of accountability. Organizations are more likely to address various issues when their customers are made aware of the compliance gaps they’ve uncovered and corrected. This signals the potential for a significant shift of power, where customers have the ability to hold organizations accountable for their actions. Ultimately, that’s the fastest way to drive change and ensure organizations prioritize bettering their compliance programs.

How A-LIGN Can Help

Partnering with a trusted PCI DSS Qualified Security Assessor Company (QSAC), like A-LIGN, gives organizations peace-of-mind knowing they’re working with an audit partner that is focused on helping them meet their organization’s compliance needs. From helping set reminders to stay on track with PCI DSS timelines to conducting regular segmentation testing and vulnerability scans, A-LIGN can help your organization recognize ways to enhance the maturity of your processes to achieve and maintain PCI DSS compliance, so you can be confidently transparent.