Professional Documents
Culture Documents
For more information about the use of Compensating Controls, refer to Appendices B and C in PCI DSS
on the PCI SSC website.
For more information about the use of the INFI Worksheet, refer to the following documents on the PCI
SSC website:
▪ PCI DSS v4.x: Items Noted for Improvement (INFI) Worksheet − Frequently Asked Questions
▪ PCI DSS v4.x: Items Noted for Improvement (INFI) − Instructions and Worksheet
This document addresses use of Compensating Controls and Items Noted for Improvement as part of PCI
DSS v4.x assessments.
PCI DSS v4.x Items Noted for Improvement and Compensating Controls Guidance June 2023
© 2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 1
PCI DSS v4.x: Items Noted for Improvement and
Compensating Controls Guidance
Purpose Entity identifies a technical or business Entity or assessor identifies one or more
constraint that prevents it from meeting the items that require corrective action before
requirement as stated. the assessment is complete for that
requirement to be considered In Place.
Entity’s role ▪ Identify the technical or business ▪ Identify and address the reason the
constraint that prevents meeting the requirement was not met (what failed).
requirement. ▪ Implement controls and processes to
▪ Design an alternate (compensating) meet the requirement going forward.
control that meets the criteria in PCI DSS ▪ Implement controls and processes to
Appendix B. prevent (or detect) reoccurrence of the
▪ Implement the control. failure.
▪ Document the control in a Compensating
Control Worksheet (CCW) per PCI DSS
Appendices B and C.
PCI DSS v4.x Items Noted for Improvement and Compensating Controls Guidance June 2023
© 2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 2
Topic Compensating Control (CC) Items Noted for Improvement (INFI)
Assessor’s role ▪ Have conversations and review the CCW ▪ Have conversations with entity about the
completed by the entity to understand the noted item, corrective actions needed,
technical or business constraint, etc. etc.
▪ Assessor may assist with development ▪ Verify the entity has:
and documentation processes. Addressed the reason for the
Must consider independence factors failure,
if assessor helps develop the CC. Implemented controls to meeting
▪ Evaluate the CC and perform testing to the requirement going forward,
determine if it is sufficient to consider the Implemented controls and
requirement In Place. processes to prevent (or detect)
▪ If CC is sufficient: reoccurrence.
Document the CCW in the ROC or ▪ If efforts to address item are sufficient:
SAQ. Document all in the INFI
Record an In Place result in the ROC Worksheet.
or SAQ. Record an In Place result in the
Keep CCW and supporting evidence ROC or SAQ.
in workpapers. Provide INFI Worksheet to entity.
▪ If CC is not sufficient: Retain INFI Worksheet and
Record a Not in Place result in ROC supporting evidence in
or SAQ. workpapers.
▪ If item is not addressed sufficiently:
Record a Not in Place result in
ROC or SAQ.
Example use Due to unexpected circumstances, the entity Due to lack of proper planning, the entity
case: Missing needed to change their ASV vendor right failed to perform one or more ASV scan(s)
ASV scan before scans were planned for the quarter. In during the past year. Once identified, the
preparation for this change, the entity entity’s reaction to the failure was to put
proactively implemented a compensating controls and processes in place to complete
control to address any risk until their new scan ASV scans going forward and to mitigate the
vendor could start performing scans: chance of missing ASV scans in the future:
▪ The entity determined what caused the
▪ Internal staff to scan the external systems missed scans (the assigned staff person
daily and quickly address any high risk or forgot to initiate the scans).
critical vulnerabilities.
▪ The entity began sending automatic
▪ Finding a new ASV vendor was prioritized notifications to several staff members
and external ASV scans were again immediately if an ASV scan was not
available within two weeks. performed on time.
▪ The entity implemented monthly ASV
scans going forward to increase the
chance of having four passing ASV
scans during the year.
▪ The entity implemented monthly
reporting to upper management about
ASV scan status and timely vulnerability
resolution.
PCI DSS v4.x Items Noted for Improvement and Compensating Controls Guidance June 2023
© 2023 PCI Security Standards Council, LLC. All Rights Reserved. Page 3