"In the early years of the Payment Card Industry Data Security Standard (PCI DSS), and even one author's experience under the CISP program, the term compensating control was used to describe everything from a legitimate work-around for a security challenge to a shortcut to compliance."