Q

Best practices for merging with a company that is not PCI compliant

Learn how to make sure you and your partner are compliant with PCI DSS while you prepare for the merger process.

Our company is in the process of acquiring another business that has had some issues with PCI DSS compliance. What are some best practices for handling a merger while getting our counterpart up to speed on PCI?

First and foremost, keep in mind that until the merger is complete you can only make recommendations to the company being acquired. After the merger, you can start mandating activities. In the meantime, the best thing to do is sit down with security personnel and executives at the other company and create your own baseline assessment of their security position by learning as much about their systems as the lawyers allow. Useful data...

to collect includes system configurations, patch levels, network diagrams and their existing policies, procedures and organization charts. At the same time, educate them about your company's processes, policies and procedures because they will eventually have to comply with them.

During your discussions with the other company's personnel, also establish a rapport by helping them feel engaged and empowered through the acquisition process, which will ease the transition pain for everyone.

The quiet period before the acquisition is a prime opportunity to take the data you gathered from these meetings and assemble a project team to build out a plan for bringing the acquired company into compliance. This is a great opportunity for management to set expectations for timelines and appoint a person in the final organization who will have the final decision on guidelines that require interpretation. This plan should include a schedule for any necessary patching, as well as reconfiguration and scheduling the necessary audits with the QSAs.

Once the plan is in place and the merger is complete, you can impress the executives by meeting the scheduled deadlines. Doing this will also make life much easier for your auditors, and that's never a bad thing.

More information:

This was first published in November 2008

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close