We come across so many interesting business scenarios in our line of work. For clients having to deal with Payment Card Industry Data Security Standard (PCI DSS), we see many faced with different challenges and scenarios. Whether they’re just getting their feet wet with understanding the requirements to remediating some of the gaps identified or diligently embracing PCI as “A Way of Life”, NCI is here to help organizations better understand the standards and become PCI DSS-compliant.
We recently came across an interesting scenario where a client is currently PCI DSS-compliant, but is dealing with a potential sell-off of a piece of their business.
What are the implications and responsibilities for the seller and the buyer? Below are some points to consider.
- There is a subtle difference between compliance and validation. Compliance is 24x7x365, validation is a point in time periodic exercise.
- This new entity, whether as part of SELLER, or as its own legal entity should be maintaining their compliance at all times. When they start operating on their own, compliance should be in place despite not having a valid ROC in their name.
- Moving forward, the sold off entity would not be in the SELLER scope, so would not impact the SELLER’s current PCI efforts. If the business processes and technologies goes with the sale and is already fully isolated, this would make it much easier.
- To avoid complications and intricacies it’s best to make the separation a clean one, both legally and technically. Try not to get into “interesting” relationships with who owns equipment, or who provides staffing. Just sever them and see them on their way.
- PCI wise this is a new legal/business entity so they have their own PCI obligations. That new entity or BUYER will have to renegotiate their contracts with Visa, MC, etc. With that will come direction from them as to whether the BUYER can keep/rely on the existing ROC or if they will have to do a new one. Likely they will have to do a new one – which means a new submission date.
- In the meantime, the SELLER will need to continue its existing obligations to submit by their renewal date. They will need to make sure that a) the scope is clearly described and b) if the sale hasn’t finished yet that this division is listed in the exclusions section of the ROC.
Since 2007, NCI has helped clients reduce the cost and time required for achieving PCI compliance within their organization, as an approved Scanning Vendor (ASV), Qualified Security Assessor or Compliance Auditor (QSA), Program Application (PA-QSA) or Point-to-Point Encryption (P2PE) Assessor or Auditor.
Posted by Anne Kwok, Sr Account Executive, BSc, MBA and Jason Murray, Sr Security Consultant, MEng, CISSP, QSA, CCSK