Resolving vulnerabilities found during a scan before a passing scan result can be issued is not always immediately possible, and sometimes the only possible solution is the use of a Compensating Control.
Compensating controls are not meant to be the de facto response to an identified vulnerability. Compensating controls may only be employed if a true technical limitation or business need prevents a vulnerability from being corrected. This is most commonly the case for zero-day vulnerabilities or if there is a legitimate business need to maintain the system in its current configuration.
If this is not the case, the scan customer must correct the noted vulnerability and arrange for another scan to assess the system's amended configuration.
If the use of compensating controls is warranted, qualified ASV personnel are expected to assess the worthiness of the compensating controls or other countermeasures that the scan customer reports as being in place, and record an opinion as to whether or not they are sufficient to effectively mitigate the risk associated with a particular vulnerability.
If the answer is yes, the amended conclusion should be documented in the report under "Exceptions, False Positives, or Compensating Controls"; and a passing result can be applied to the identified vulnerability.
Two things should be noted:
- The raw scan findings should not be amended (for example, a high CVSS v2.0 Base Score); only the"Compliance Status" should be changed;
- The rationalization of the result cannot be assumed in future scans; it must be reassessed each time.
The customer's onsite assessor (QSA or ISA) would still be required to assess the compensating control or counter-measure in the scan customer's environment, and determine whether or not that is compliant with the PCI DSS.
What if your company is not subjected to a QSA visit? It's a mystery....
Source: PCI Assessor newsletter August 11