The Payment Card Industry Data Security Standard (PCI DSS) provides a specific mechanism for entities that cannot meet a requirement as stated due to legitimate technical or business constraints. This mechanism is the implementation of a "compensating control." A compensating control must meet the intent and rigor of the original PCI DSS requirement, provide a similar level of defense, and be "above and beyond" other PCI DSS requirements. In this scenario, since the legacy system prevents encryption, the cloud provider must implement alternative controls to sufficiently mitigate the risk of storing unencrypted cardholder data to maintain compliance.

A. Privacy control: This is a general term. While related, it is not the specific mechanism defined within the PCI DSS framework for addressing an inability to meet a technical requirement.

B. Protection levels: This is a vague concept and not a formal term or process within the PCI DSS standard for achieving compliance when a specific control is not met.

C. Risk acceptance: Formally accepting the risk of not encrypting cardholder data is not a valid option for compliance with a mandatory PCI DSS requirement and would result in a finding of non-compliance.

1. PCI Security Standards Council (PCI SSC). Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures

Version 4.0. (May 2024). In Appendix B: Compensating Controls

the document states

"For many PCI DSS requirements

there may be more than one way to meet the requirement’s stated objective... PCI DSS also allows for compensating controls to be considered when an entity cannot meet a requirement explicitly as stated

due to a legitimate and documented technical or business constraint." (p. 211).

2. PCI Security Standards Council (PCI SSC). Navigating PCI DSS v4.0: A Guide for Assessors and Other Professionals. (May 2024). Section "Compensating Controls" explains: "Compensating controls are alternate security measures that can be used to meet a PCI DSS requirement when an entity is unable to meet the requirement as stated." (p. 13).

3. Amazon Web Services (AWS). PCI DSS Standard on AWS. (Rev. March 2024). The whitepaper discusses compliance strategies

stating

"If a customer is unable to meet a specific PCI DSS requirement due to a legitimate technical or business constraint

they can implement a compensating control... The compensating control must provide a similar level of defense as the original requirement." (p. 10).