If you’re a successful business, eventually your organization will scale and you’ll face some kind of organizational change. You might add new offerings, acquire another business, or venture into a new market. Whatever the shift, it means going through an exciting, daunting, and complex process to make that change happen successfully.
These types of organizational changes impact your PCI DSS compliance — often in ways you won’t see coming until you’re in the midst of the transition, or even afterwards.
Don’t neglect the major security and compliance decisions you’ll need to consider. These compliance issues don’t merely involve logistical tweaking — depending on the nature of the change, they could have seismic impacts on your business and your ability to remain in compliance with PCI DSS.
Follow these tips to navigate PCI compliance in the midst of organizational change.
Get TCT’s complete guide to PCI DSS Certification
What Kind of Organizational Change Are We Talking About?
In the end, your organizational changes will have PCI implications that fall into one of two categories:
- A more complex organization. You add complexity to your organization, but it remains one organization. For example, you add a third physical data center to the two you already have. Or, you layer on a new service line within your organization. In these cases, your existing footprint for PCI will become more complex, but it will stay under the same umbrella.
- An acquisition. Your organization acquires a company and the acquired company remains a separate entity as a subsidiary or a division of your organization.
The modification in terms of how PCI should morph and flex with your organizational changes will depend on which of those categories applies to your situation.
Regardless of the category, I recommend that you consider in detail what it is that you’re about to go through from a compliance perspective, and how you should go about it. You’ll have several options in terms of approach, and some of them will make your job easier while others could make your life a living hell for a while.
Don’t attempt to go through any major organizational change without engaging early on, the expertise of a PCI Consultant. If you have a QSA, bring them in early on, before you’re ready to initiate the changes.
PCI DSS for a More Complex Organization
Once you’ve made the strategic decisions for your expansion, you’ll need to integrate that expansion into your existing PCI footprint. Identify the ripple impacts and the requirements you’ll need to modify as a result of your organizational changes.
For example, let’s say you’re adding a data center. This simple addition will introduce complexities that have an impact on things like your network diagram, your data flow diagram, and your inventory. In particular, PCI Requirement 9: Physical Security will become more complex.
This is where a good, robust compliance management tool will be invaluable to you. I can’t understate the significance of an organized repository of your compliance evidence. Leverage a tool that allows you to take the PCI requirements and split them into the various data center locations. You need to be able to track and manage the requirements for each location, while also rolling them up to each PCI requirement, across your PCI engagement.
If you use a wholesale manual system like Excel or a semi-manual system with Sharepoint or a network drop, every modification to your outlay means you have to overhaul your existing tracking and management system. A good compliance management system will scale and flex as your organization grows.
PCI DSS During Acquisition
From a PCI DSS perspective, acquisitions can be handled in one of two ways. If the acquired company remains a completely separate organization from the acquiring organization, the path is pretty straightforward — you’ll need a separate tracking and management system for the separate entity.
That said, what I see more often is one company acquiring another company as its subsidiary. In that scenario, there are two ways of running your PCI engagement.
Parent company shares core evidence down to subsidiaries
In most cases, corporate headquarters provides the main artifacts for compliance, and those artifacts flow down to the sub-entity. If the sub-entity needs to separately report, the corporate organization will have items that sub-entities can inherit.
The easiest example is the overall information security policy. Handle this policy in an identical fashion for both the parent company and its subsidiaries, so that the parent company’s information security policy flows down. Similarly, the acceptable use policy will flow down to subsidiaries.
Under this arrangement, corporate HQ takes responsibility for certain requirements. Their evidence flows down live to the subsidiaries, and the subsidiaries collect their own evidence for the requirements that they need to prove as an entity. Subsidiaries can report on their compliance separately from the parent.
Subsidiaries share their evidence up to parent company
Under this arrangement, the subsidiary is effectively part of the same overall organization, but they have some responsibilities for generating evidence that can only be generated by their location. In this case, their evidence flows up to the parent company.
An example of what I see often is a corporate headquarters with a corporate franchise model. The franchisees typically have to do their own point-of-sale device inspections for each location. They go in, gather their evidence, load it to the subsidiary’s track in the compliance management system, and that evidence flows up to corporate headquarters.
Corporate then generates one gigantic certification report to rule them all, and that certification covers the scope of the parent company and the child organizations under one enormous umbrella.
The power of a good compliance management system comes into play, especially in this scenario, because you have the ability to have live-linked evidence between the various entities where it’s automatically updating as there are any tweaks or modifications at the subsidiary level. Once all of the subsidiaries have concluded their evidence collection, the parent company can finalize their evidence gathering and compliance engagement. You don’t have to redundantly copy the same information from multiple subsidiaries — and by multiple, you could be dealing with dozens or even hundreds of locations.
Related: What Happens if You Don’t Maintain PCI-DSS After Becoming Compliant?
Plan for Future Organizational Changes
This may be your first acquisition, but more may be on the way in the future. Don’t be shortsighted in your planning. One or two subsidiaries could eventually become five or more. Things become amazingly complex for your compliance engagement. Put in place the structure and the tools you need to readily scale, so you don’t have to undo it all and rebuild your compliance toolset with each acquisition.
And we’re just talking about PCI DSS. Imagine the enormous complexity if you’re also going up against multiple frameworks such as HIPAA, ISO 27001, and NIST. The right compliance tool can be an absolute lifesaver.
Reconsider How to File for PCI Certification
If you have shared services between the parent company and subsidiaries, depending on what those services are, you may have to change how you file your PCI certification. You may have filed as a merchant in the past, but if your parent organization is now provisioning services to the subsidiaries, the parent organization may need to switch from a merchant-style of organization to a service provider. Effectively, you’re provisioning services to the sub-entities.
As one of many possible examples, let’s say your organization currently has its own system for processing payments and your subsidiaries adopt your system. You have become a service provider to the subsidiaries.
Navigate Your Organizational Change with Confidence
Everything becomes more complex as you go through the process of business growth and expansion. PCI compliance certification is no exception. Organizational change is full of unforeseen pitfalls, but you can reduce disruption to your PCI compliance management with the right capabilities in your compliance management toolset and if you plan ahead wisely.