A number of our clients have chosen to explore a compensating control for DSS requirement 11.5. Rather than deploying traditional file integrity monitoring software, some organizations have chosen to leverage other controls to meet this requirement. A common example of this is to use endpoint security software on in-scope systems to provide a level of defense and alerting that goes beyond what is required elsewhere in the DSS. If handled properly, this can be used as an effective compensating control for DSS 11.5.
Compensating controls will always depend on the specifics of your situation, so you should work with your QSA to determine whether this approach is viable in your case. Several of our clients have found this to be a cost-effective approach, especially if they have already made an investment in multi-function endpoint security software.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services