P. 1
The Art of the Compensating Control v1_2

The Art of the Compensating Control v1_2

|Views: 0|Likes:
Published by Jonathan Care

More info:

Published by: Jonathan Care on May 07, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PPT, PDF, TXT or read online from Scribd
See more
See less





The Art of the compensating control

Jonathan Care

Paresh Deshmukh
Global Security Consulting

What is a compensating control?
+ In the past:

Everything from a legitimate work-around for a security challenge to something that the CIO wants to achieve

+ Now:
▪ ▪

Based on a risk analysis Legitimate technological or documented business constraint

+ Four criteria for validity:
▪ ▪ ▪ ▪

Meet the intent and rigor of the original PCI DSS requirement Provide a similar level of defence as the original PCI DSS requirement Be “above and beyond” other PCI DSS requirements (not simply in compliance with) Be commensurate with the additional risk imposed by not adhering to the PCI DSS requirement

What compensating controls are not!
+ Not a “short cut” to compliance
▪ ▪

Harder to do Cost more money in the long run than addressing the original issue

+ Not a permanent solution for a compliance gap + There is no compensating control for storing sensitive authentication data after authorisation + While there is no defined lifespan for compensating controls, they must be reviewed as part of the annual assessment
▪ ▪ ▪

Does it (still) meet the four criteria? Does the original constraint still exist? Is it still effective in the current security threat landscape?

Who approves compensating controls
+ Initial approval is by the complying organisation

Will this work for my organisation? ▪ Can we support this?

+ Second stage approval is by the QSA

Does this meet the criteria for compensating controls? ▪ Am I willing to put my name to this?

+ Final stage approval is the Acquiring Bank

Substantial documentation is required ▪ Open channel of communication

Lunchtime fun: The compensating control cha-cha
+ Encryption is a hotly debated topic
▪ ▪ ▪ ▪ ▪ ▪

“Just do it” “It’s a mainframe” RAID-5 Transposing digits in PAN Disk only encryption inside the data centre without additional user credentials Transparent encryption appliances

+ Things that aren’t encryption


+ By the way, encryption is not the problem with Requirement 3 – key management is!

Using COBOL’s Random number generator to generate 16 digits (128 bits) leads to
– Lack of randomness due to entropy issues – Elimination of keyspace leading to only 53 bits of possible key material

Sample Compensating Control (1)
+ Routers do not support SSH (PCI Requirement 2.3)

+ Databases need encryption (PCI Requirement 3.4)
+ Costs:

Financial Institution

Corporate Offices

Original cost estimates of upgrade: £125MM

Application Servers

Database Servers


+ Risks:

Card numbers are not encrypted at the point of sale Routers/Switches can redirect or span traffic for capture



Sample Compensating Control (2)
+ Transaction Data:

Now encrypted at the point of sale using Industry Accepted algorithms Stays encrypted until passed to financial institution

Financial Institution

Corporate Offices

+ PANs are replaced with “reference numbers” when transaction returns + Mitigated risks by rendering the data unreadable

Application Servers

Database Servers


Associate Unencrypted Card 4111111111111111


Encrypted Card Number: aWxvdmVjcmVkaXRjYXJkcw==

Compensating control Ju-Jitsu (The Art of Compliance)
+ Reduce the scope of PCI to the bare minimum required

Can you truncate PAN data? ▪ Does your ecommerce site really need to be in the payment flow?

+ Ask the hard questions

Why do you need this? ▪ What would you do without it?

+ In the event of a breach, how will this assist a forensic investigator?

Compensating control Ju-Jitsu (The Art of Compliance)
+ Not the golden parachute of compliance initiatives. + Require work to build effective ones that will pass the scrutiny of both a QSA and an acquiring bank (or card brand).

Compensating controls may help you lower the bar of compliance in the short term, but remember, only you can prevent a security breach.

Data Breaches vs. Data Protection (Here’s Why)

**Gartner – “Toolkit Presentation: PCI Compliance Is Hard to Achieve but Worthwhile” - 4 May 2007

Confidential and Proprietary


Data Breach Concerns

Source - Verizon 2009 Data Breach Report

Confidential and Proprietary


Final Thought : Why be compliant?

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->