Ask the Expert

Best practices for merging with a company that is not PCI compliant

Our company is in the process of acquiring another business that has had some issues with PCI DSS compliance. What are some best practices for handling a merger while getting our counterpart up to speed on PCI?

    Requires Free Membership to View

First and foremost, keep in mind that until the merger is complete you can only make recommendations to the company being acquired. After the merger, you can start mandating activities. In the meantime, the best thing to do is sit down with security personnel and executives at the other company and create your own baseline assessment of their security position by learning as much about their systems as the lawyers allow. Useful data to collect includes system configurations, patch levels, network diagrams and their existing policies, procedures and organization charts. At the same time, educate them about your company's processes, policies and procedures because they will eventually have to comply with them.

During your discussions with the other company's personnel, also establish a rapport by helping them feel engaged and empowered through the acquisition process, which will ease the transition pain for everyone.

The quiet period before the acquisition is a prime opportunity to take the data you gathered from these meetings and assemble a project team to build out a plan for bringing the acquired company into compliance. This is a great opportunity for management to set expectations for timelines and appoint a person in the final organization who will have the final decision on guidelines that require interpretation. This plan should include a schedule for any necessary patching, as well as reconfiguration and scheduling the necessary audits with the QSAs.

Once the plan is in place and the merger is complete, you can impress the executives by meeting the scheduled deadlines. Doing this will also make life much easier for your auditors, and that's never a bad thing.

More information:

This was first published in November 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: