We notice you are visiting from a U.S. Internet provider. 
18/03/2010 -
Many businesses think of compensating controls as a shortcut to payment processing compliance. However, compensating controls in reality are nothing near a shortcut - they require research and analysis to correctly implement.According to Anton Chuvakin and Branden Williams - whose book PCI Compliance is available for preview at CSO magazine's website - the following requirements must be met for a business to be eligible to use compensating controls.
First, the control must meet the intent and rigor of the original PCI DSS requirement, be "above and beyond" - not simply in compliance with - other PCI DSS requirements, provide a similar level of defense as the original PCI DSS requirement, and be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement, said Chuvakin and Williams.
The authors remind business owners that" before immediately running down the compensating control route, be sure that you have done your research and make sure that you legitimately meet all of the requirements for a compensating control." Otherwise, the business will likely not pass the PCI compliance audit.
In general, business owners should concern themselves more with security than compliance, says Bob Russo, general manager of the PCI Security Standards Council. Russo recently told Bank Info Security's editorial director Tom Field in an interview that merchants should "live, breath, eat, sleep, not PCI, but security."
