Appendix C: Compensating Controls Worksheet
Use this worksheet to define compensating controls for any requirement where compensating controls are used to meet a PCI DSS requirement. Note
that compensating controls should also be documented in the Report on Compliance in the corresponding PCI DSS requirement section.
Note: Only companies that have undertaken a risk analysis and have legitimate technological or documented business constraints can consider the use
of compensating controls to achieve compliance.
Requirement Number and Definition:      
                                                Information Required          Explanation
 1. Constraints             List constraints precluding compliance with            
                            the original requirement.
 2. Objective               Define the objective of the original control;          
                            identify the objective met by the
                            compensating control.
 3. Identified Risk         Identify any additional risk posed by the lack         
                            of the original control.
 4. Definition of           Define the compensating controls and                   
    Compensating            explain how they address the objectives of
    Controls                the original control and the increased risk, if
                            any.
 5. Validation of           Define how the compensating controls were              
    Compensating            validated and tested.
    Controls
 6. Maintenance             Define process and controls in place to                
                            maintain compensating controls.
PCI DSS v3.2.1 Template for Report on Compliance, Rev. 1.0, Appendix C: Compensating Controls Worksheet                                 June 2018
Copyright 2018 PCI Security Standards Council LLC                                                                                          Page 1
Compensating Controls Worksheet – Completed Example
Use this worksheet to define compensating controls for any requirement noted as being “in place” via compensating controls.
Requirement Number: 8.1.1 – Are all users identified with a unique user ID before allowing them to access system components or cardholder data?
                                   Information Required         Explanation
 1. Constraints             List constraints precluding         Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a
                            compliance with the original        “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to
                            requirement.                        log all “root” activity by each user.
 2. Objective               Define the objective of the         The objective of requiring unique logins is twofold. First, it is not considered acceptable from a
                            original control; identify the      security perspective to share login credentials. Secondly, having shared logins makes it
                            objective met by the                impossible to state definitively that a person is responsible for a particular action.
                            compensating control.
 3. Identified Risk         Identify any additional risk        Additional risk is introduced to the access control system by not ensuring all users have a
                            posed by the lack of the original   unique ID and are able to be tracked.
                            control.
 4. Definition of           Define the compensating             Company XYZ is going to require all users to log into the servers using their regular user
    Compensating            controls and explain how they       accounts, and then use the “sudo” command to run any administrative commands. This allows
    Controls                address the objectives of the       use of the “root” account privileges to run pre-defined commands that are recorded by sudo in
                            original control and the            the security log. In this way, each user’s actions can be traced to an individual user account,
                            increased risk, if any.             without the “root” password being shared with the users.
 1. Validation of           Define how the compensating         Company XYZ demonstrates to assessor that the sudo command is configured properly using
    Compensating            controls were validated and         a “sudoers” file, that only pre-defined commands can be run by specified users, and that all
    Controls                tested.                             activities performed by those individuals using sudo are logged to identify the individual
                                                                performing actions using “root” privileges.
 2. Maintenance             Define process and controls in      Company XYZ documents processes and procedures to ensure sudo configurations are not
                            place to maintain compensating      changed, altered, or removed to allow individual users to execute root commands without being
                            controls.                           individually identified, tracked and logged.
PCI DSS v3.2.1 Template for Report on Compliance, Rev. 1.0, Appendix C: Compensating Controls Worksheet                                                        June 2018
Copyright 2018 PCI Security Standards Council LLC                                                                                                                 Page 2
PCI DSS Template for Report on Compliance, Appendix D: Segmentation and Sampling of Business Facilities/System Components   June 2018
© 2018 PCI Security Standards Council, LLC. All Rights Reserved.                                                               Page 3