Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: How Organizational Change Impacts Your PCI Compliance
Quick Take
On this week’s episode of Compliance Unfiltered, the guys jump in with both feet on the tough topic of organizational change and how it impacts an organizations PCI compliance.
Adam covers some examples of organizational change with wide reaching impacts. The guys chat about the new version of PCI and how its increasing complexity factors as your organization goes through changes. Finally, Adam gives some insight on planning for organization change as it relates to compliance.
All this and more on this week’s episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the weather vane to your compliance tornado. Mr. Adam Goslin, how the heck are you, sir? I am glad I’m firmly bolted down. How about yourself? Indeed, bolted down indeed. Now, these days, sir, many organizations are going through changes. But talk to us a little bit more about how organizational change impacts your PCI compliance. Well, if you’re a successful business, not a successful business, you know, your organization is going to go through some scaling and modifications, and you’re going to be approaching some form of organizational change. Maybe you need to rein things in. More optimistically, you have new offerings. You acquire another business. You go into a new market. Whatever you’re going through, whether it’s exciting, daunting, complex, whatever, those changes are going to happen. Those types of organizational changes will impact your PCI compliance. In many times, it’s not even in ways you see coming until maybe you’re in the middle of it or even afterwards. So, you know, you don’t want to neglect, you know, major security compliance decisions that you’ll need to consider, you know, the compliance issues that come along with it. They aren’t merely, you know, logistical issues, but, you know, depending on what type of a change, it could have pretty substantial impacts on your business, your ability to remain in compliance with PCI. So, you know, that’s kind of the lead in, if you will, for the topic.
Now, what are some examples of the organizational change you’re talking about here? Well, you know, at the end of the day, the ripple impacts for organizations that are kind of going through some form of an expansion. You know, really, you’re going to fall into one of two categories, either. The existing organization now has become more complicated. You know, you’ve left it as one single organization, but an example being maybe we’ve got two physical data centers today and we add a third. You know, maybe we go ahead and layer on a new service offering for the organization. You know, in these types of cases, your existing footprint for PCI becomes more complex but stays under, you know, kind of one umbrella. And, you know, on the other side, maybe you’ve got the notion of an acquisition where your organization acquires a company and the acquired company is going to either temporarily or permanently remain a separate entity or a subsidiary, you know, or division of the existing, you know, kind of parent organization. So, you know, the modification in terms of how your PCI needs to morph and flex with, excuse me, the organizational changes is going to depend on which of the, you know, kind of various categories apply to your situation. But, you know, regardless of the nature of the change, regardless of how you plan to implement it, et cetera, you know, certainly recommend that the listeners consider, you know, in detail about what are the material impacts going to be to their compliance?
How should they go about doing it? Knowing and understanding, you know, what those various options may be, you know, could make it a far easier, you know, far easier or far more difficult approach. And we don’t want to have anybody going through any types of major organizational changes without early on engaging the expertise of their PCI consultant or if you do happen to have an assessor, you know, then get them into the fold relatively early on. I actually had an organization that, you know, that I was working with that, you know, they were just doing their own thing, right? They didn’t even cross their mind to bring up, oh, hey, guess what, we’re about to go do fill in the blank, you know, and kind of bring me into the fold in terms of the conversation. And they brought me in really, really late into what they were doing. already down the path of I can tell you man it had some pretty substantial impacts and honestly injected a multitude of delays into you know into their plan. The biggest problem is, is at that point in the game you’ve already made commitments to the executives to your board you know to your investors whatever it may be right hey we’re gonna get this thing done by here and now all of a sudden you forget to go talk about your compliance stuff and you know now all of a sudden oh shoot we forgot about this forgot about that forgot about the other thing so you know it’s um it’s, it’s really, really important nobody wants to be in that situation where they’re having to you know kind of put their foot in their mouth over you know commitments they’ve made around timing and or having everybody in the organization having to leap through fire hoops uh to make up for you know for what they you know kind of neglected along the way.
Yeah most certainly now let’s chat about PCI for an organization that increased their complexity of their compliance landscape like you know people go through changes in terms of like how in depth you know uh they’re they need to be from a compliance standpoint and they don’t always have the right safeguards in place what do we do here? So you know once you’ve made those kind of strategic decisions about the expansion then you know integrate that expansion into your existing footprint for PCI um you know take the opportunity to you know again just like I was saying it’s saying a minute ago you know engage your PCI consultant engage your assessor etc identify those you know kind of ripple impacts the requirements that you’re going to need to modify as a result of the organizational change so going back to that you know kind of earlier example I gave about adding a you know you’re going to add another data center to the mix um you know this simple introduction well now all of a sudden we’ve got impacts on things like your network diagram your data flow diagram inventory, you know, your, your elements for requirement nine for physical security, you know, now, instead of it being two data centers for all those, all those requirements, now you’ve got three that you need to collect the information again. So, you know, this is where, this is the point at which, you know, folks realize the value of a good, robust compliance management tool that has the capability to, you know, to hold and organize repository of your compliance evidence, a tool that will allow you to take things like the PCI requirements and split them out into the various data center locations. You know, you want to be able to track and manage requirements for each location while also rolling them up because, you know, the evidence from data center one, two and three are all going to be pertinent elements that play up into the overall requirement. But you want to have kind of a moving, piece and part for each of those locations as you go through. The challenges for leveraging things like manual systems like an Excel sheet or a semi-manual system where you’ve got also you’ve got a network repository or drop for where you’re going and dropping things in means every time you have one of these tweaks to your compliance landscape, now I have to go back in and overhaul my existing internal storage system for compliance, etc. You know, a good compliance management system that’s going to allow you to be able to kind of flex as you’re going through the process. Now, what about options for handling as an organization is going through acquisition?
Like acquisitions are some of the most uncertain times that an organization can have. Yeah, well, you know, during, you know, from a PCI perspective, the acquisitions can go a couple of different ways. If the kind of acquired company is going to remain completely separate from the acquiring organization, actually the path is pretty straightforward. You need a separate tracking management system for, excuse me, your separate entity. But what I often will see, maybe it starts that way, but then it starts to morph. People start to realize, well, you know what? It doesn’t make any sense to manage and maintain two separate information security policies, two separate acceptable use policies, etc. So, you know, a lot of times what I’ll see is right out of the gate, it will start as a separate entity, then it will flip over to, you know, kind of starting to migrate toward being, you know, kind of being a subsidiary, you know, a subsidiary of that organization, organization now when you’re going through and when you’re going through and you are doing it. Let’s say it’s a parent company That’s sharing evidence, evidence down you know, so let’s talk about that really quickly So in this notion of you know, it’s some form of a subsidiary. There’s really kind of two Different ways that I’ve seen organizations run their engagement one is where the parent company is effectively sharing their core evidence down to the subsidiaries This model is most typically leveraged when each of the subsidiary organizations is intending on completing their own compliance paperwork, yet using inheritance from that parent organization.
So when you’ve got those sub-entities that need to do that reporting separately, now you can set it up. So the easiest example that I’ve got for this is, let’s say that corporate, your parent organization has an overall information security policy. That overall information security policy is now going to flow down to each of their subsidiaries. So in this case, and things like the acceptable use policy, those policies kind of flow down from corporate HQ, where they take responsibility for certain requirements, where those flow down and into the subsidiaries. But the subsidiaries have the ability to collect their own evidence for things that they need to do for their requirements to support their compliance, et cetera. And they can go ahead, basically leverage the shared evidence from parent and gather their own evidence as a subsidiary, and then present that to their assessor and report on their compliance completely separate from the parent.
Now, the next scenario is a different scenario, where let’s say the subsidiaries, you know, at the end of the day, the overall organization is going to fill out one, you know, kind of one piece of compliance paperwork to rule them all, you know, type of thing. However, that parent company, because of the fact it’s providing coverage for these various subsidiaries, has certain elements that they need to collect evidence and information from the subsidiaries that rolls up and into the parent organization. You know, so under that scenario, let’s say I’ve got an organization that’s kind of a more of a retail-style organization. a retail or a food-based establishment, it’d be an easy example. So in that scenario, the subsidiaries part of the overall organization, but you’ve got corporate franchises rolling up into corporate HQ. The franchise locations, each of which will have their own point of sale devices that are on site that require inspections, require inventorying, things along those lines. And so each of the corporate franchise locations, let’s say I’ve got 20 or 30 of them, they can go in. And this is just one example of a requirement that would be at the corporate franchise level, is they would go in, gather up all of their evidence, and then each of those 20 subsidiaries, their evidence for POS-PLI inspections would then flow up. as part of the evidence for the one single corporate entities gigantic report that they would go in and do. And really, going through these scenarios, again, just underscores the value of a good compliance management system if you’re lucky enough to have that.
Because now you’ve got the ability to have live linked evidence between parent company flowing down to the subsidiaries or the subsidiaries flowing up and into the parent company, that type of thing. So in that model where you’re collecting up information from 20 different subsidiaries, basically what you would mentally do is you would work on the items on the corporate certification. You’d go and work on that for those that don’t have a dependency on the subsidiaries and then make sure that all the subsidiaries collect up and conclude their evidence collection so that then everything on the corporate side can be reviewed. But it’s actually watching. Getting these things set up is their own exercise in fun. But once you’ve got this thing going, oh my god, dude, it’s like the clouds are parting, angels are singing, blah, blah, blah. Because now you’re not having to dive through all these manual machinations and fire hoops and all this other fun stuff. It’s just awesome when you can see the light bulbs completely come on for the organizations that are able to take advantage of this.
No, absolutely. Now, can you cover guidance for planning for change? Sure. So even though this might be your first acquisition or this might be your first expansion, whatever it may be, don’t be short-sighted in that planning. It is one of the biggest things that I’ll see out of organizations, right? Oh, well, it’s just one thing that I hear a lot of times is, oh, well, it’s just the parent company and we’ve just got this one extra location. So we don’t need all the pain in the overhead. The problem is that one subsidiary becomes two. two becomes five, you know, etc. As companies grow and morph and you’ve got, you know how it works. I mean, I can just kind of visualize the listeners chuckling to themselves because they know how it works. The, you know, all of a sudden some exec gets a bee in their bonnet. Oh my God, we’ve got a fire sail with such and such a company and we want to go ahead and grab them and da, da, da, da. And it becomes this, got a bee’s nest of, you know, go, go, go, go, go. Cause they want to try to make this come together. And man, it’s every single fricking person involved in this thing has their foot on the floor, pedal the metal. And, you know, all of a sudden you’ve gone from your nice serene quiet world to, you know, Fitz hitting the shed, you know, you know, because everybody wants to dive through their butt to go make it happen.
So, you know, when in the compliance space, the one thing I’m seeing more and more and more is that the complexity goes up. It’s unusual that it goes down, you know, so plan ahead, make sure that you put in place the structure, the tools that you’re going to need to be able to readily scale because you’re not going to have the luxury or the free time to, you know, to turn around and tell the executives they have this bee in their bonnet, you know, hey, you know, by the way, we’re going to need like another couple of months to go ahead and kind of get our compliance stuff all organized and whatnot to be ready for this. Yeah, they’re not giving you that opportunity. They’re just going to tell you to figure it out. So, you know, do it in advance. You don’t want, you don’t want to be, you know, be freaking out as you’re trying to make it through this, nor do you want to try to put the structure in now that you’ve doubled or tripled or quadrupled the complexity of what you’re dealing with. You know, as we’re talking here about, you know, PCI, you know, you can imagine for organizations that, you know, start off with PCI, and then all of a sudden some big client comes along. They’re like, hey, guess what? We need you to be sucked too. Well, we need you to be ISO 27001. We need you to be an SCSF, HIPAA, whatever. You know, the planning ahead, having your ducks in a row and certainly having the right tool sets, et cetera, that can be, that’s gonna be game changer for the ones that, you know, kind of foresaw this coming.
Sure. Parting shots and thoughts for the folks this week, Adam? Yep, just grabbing me a little bit of water so I can stop spewing all over the microphone here. You know, the one thing that I would like to, that I would like to bring up is that, so we’ve talked a little bit, we’ve talked a lot, sorry, about the nature of the changes, the styles and ways that these changes could impact and whatnot, but if you look at it, from this perspective, if the parent company is effectively going to start sharing their evidence down to the subsidiaries, keep in mind that effectively what that means is the parent company now has a potential to become a service provider to those subsidiaries. So where the parent company used to just fill out merchant-style paperwork for, well, I tried to not cough and spew anymore, apparently I failed. So the parent company may have just filled out merchant paperwork previously, however, depending on which core services they’re sharing down to the subsidiary model, they may turn into that service provider. So I want the listeners to consider that as they go through, certainly. This is a big one to make sure that you understand what is the structure of that service provider versus merchant relationship between the people that are provisioning services, sharing services after all the dust settles about how you want to go about doing this. Every single thing about compliance increases in complexity as you go through business growth, business expansion. You know, PCI is absolutely no different, but organizational changes are going to come into play, opportunities for optimization and streamlining of, you know, kind of how you provision services to the now increasing complexity of your organization. They’re going to present opportunities, but opportunities that you want to make sure you’ve taken the time to really think through all of the ramifications so that you are truly prepared, you know, not only for heading down the path, but being able to do so without support. surprises and, you know, being capable of doing so in a sane manner, you know, making sure that you’ve got the right compliance tool sets, you know, on hand so that you will support the things that your organization is about to go do.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. I hope we help to get you fired up to make your compliance suck less.
