$25.$

Which of the following is true regarding

compensating controls?

$$ A compensating control is not necessary if all other PCI DSS

requirements are in place

O A compensating controls must address the risk associated with

not adhering to PCI DSS requirement

O An existing PCI DSS requirement can be used as compensating

control if it already implemented

O A compensating control worksheet is not required if the acquirer

approves the compensating control