Requirement 3.4 of the PCI DSS applies to mainframes that store cardholder data. If the company has legitimate business or technical constraints to meet this or any other requirement, compensating controls may be applied. Compensating controls must be commensurate with additional risk imposed by not adhering to the original requirement. Please refer to Appendices B and C of the PCI DSS for more information on the use of compensating controls.
Article Number 1093