A number of our clients have chosen to explore a compensating control for requirement PCI DSS 11.5; rather than deploying traditional file integrity monitoring software, some organizations have chosen to leverage other controls to meet this requirement. A common example of this is to use endpoint security software on in-scope systems to provide a level of defense and alerting that goes beyond what is required elsewhere in the DSS. If handled properly, this can be used as an effective compensating control for DSS 11.5.
Compensating controls will always depend on the specifics of your situation, so you should work with your QSA to determine whether this approach is viable in your case. Several of our clients have found this to be a cost-effective approach, especially if they have already made an investment in multi-function endpoint security software.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services
HALOCK is a cyber security consulting company headquartered in Schaumburg, IL, in the Chicago area and advises clients on information security and conducts PCI preparedness assessment, scoping, remediation, validation, and compliance maintenance services throughout the US.UPDATE The PCI SSC announced the final version of PCI DSS v4.0 won’t be published until 2021.
For PCI recommendations on payment processing with newly remote workers, PCI SSC suggests a review of key areas to protect payment card data. Read Article: Payment Processing in a Remote Working Environment