What is the purpose of Appendix C in the PCI DSS documentation?

• A. to define compensating controls for any requirement where compensating controls are used.
• B. to describe data encryption standards.
• C. to list vendor references.
• D. to define password policies.

Answer: (A)

The thing being tested is how compensating controls are defined and used within PCI DSS. Appendix C explains that when a requirement cannot be met in the standard way due to legitimate constraints, an organization can implement compensating controls that provide the same level of protection and achieve the same security objectives. It outlines the criteria these controls must satisfy, the documentation and evidence needed, and how they are evaluated and validated by assessors to ensure the risk is mitigated as if the original control were in place. This keeps the cardholder data environment secure even when traditional controls aren’t feasible. The other topics—data encryption standards, vendor references, or password policies—are covered in different areas of PCI DSS and are not the purpose of Appendix C.