Which of the following is true regarding compensating controls?

 Compensating Controls Definition and Purpose

A compensating control is an alternate measure that satisfies the intent of a specific PCI DSS requirement and provides an equivalent level of security.

The rationale and risk mitigation must be explicitly documented using the Compensating Control Worksheet (CCW).

 Mandatory Documentation

PCI DSS v4.0 mandates the use of a CCW when implementing compensating controls. This applies regardless of acquirer approvals​​.

The CCW requires detailed documentation including:

Constraints preventing the original requirement from being implemented.

Justification for the compensating control.

Description of the control and evidence of its effectiveness.

 Using Existing Requirements

If an existing PCI DSS requirement (e.g., Requirement 5 for antivirus) is already implemented and can mitigate the risks of not meeting another requirement, it may qualify as a compensating control​​.

 Approval and Review Process

QSAs must validate the implementation, effectiveness, and appropriateness of compensating controls during the assessment process​