Page 1 of 3
Original Created By: Original Issue Date: Page:
Original Approved By: Revision Date: Next Review Date:
3. Ownership & Responsibility
4. PCI Remediation Project Team
5. Status & Reporting
1. Summary: This framework will provide a structure to establish gap and remediation
2. Classifications: compliance/regulatory control gaps and remediation projects and how
they cross business –lines are classified into 1 of 3 scenarios:
2.1. Business unit (Single group) with remediation gap(s).
2.2. Business process across multiple lines of business, with remediation gap(s).
2.3. Business process with third party.
After a COMPLIANCE/REGULATORY control gap has been identified and confirmed by the
AUDIT MGT. Team and/ or contracted “Qualified Security Assessor” (AUDITOR), the
following process is to be followed.
Page 2 of 3
3. Ownership & Responsibility:
3.1. The first step is to identify the business owner of the data.
3.2. The final determination of the party that owns both the gap and the responsibility of
compliance is the business owner of the in-scope data.
3.3. For example if a server system, application or process is non-compliant, it is the
responsibility of the business owner of that data to lead and coordinate the
remediation project and efforts.
3.4. Although the remediation efforts and execution may be dependent on those
engineers, the party responsibility is the owner of the data that brings the system
and/ or process into scope for COMPLIANCE/REGULATORY and thus making that
systems and/ or process out of compliance.
In short it is the data that puts a system in-scope in the first place, so if
a system is out of compliance, the data owner owns final responsibility
of the compliance of that system.
4. Remediation Project Team: After gap and remediation ownership has been
established, create a PCI Remediation Project Team.
4.1. Team Creation: The “PCI Remediation Project Team” should consist of the following
4.1.1. Identified and known affected business-lines/groups
4.1.2. The AUDIT MGT. Team
4.1.3. Process and/ or technology engineers/support
4.1.4. Applicable vendors
4.1.5. When applicable, include contracted Qualified Security Assessor (AUDITOR)
4.2. Team Responsibilities: After all of the initial parties have been identified and/ or
contacted, setup a meeting to accomplish the following goals;
4.2.1. Assign a group PM from either the business unit or the PMO
4.2.2. Assign all affected business-lines/groups PM’s and/ or POC’s
4.2.3. Define the PCI control gap
4.2.4. Discuss remediation options
4.3. Remediation Options: After remediation options are determined, the following
process is to be followed:
4.3.1. Consult remediation options to AUDITOR – AUDIT MGT. Team
4.3.2. Research remediation options costs – Business-line/groups
4.3.3. Research remediation impact to business operations – Business-line/groups
Page 3 of 3
4.4. Remediation Plan: After a remediation option has been agreed upon and reviewed
by both the AUDIT MGT. and contracted AUDITOR, the following process is to be
4.4.1. Formulate a remediation plan
4.4.2. Establish an overall timeline to complete the remediation plan
4.4.3. Define the business requirements
4.4.4. Determine budget needs
4.4.5. Obtain budget approval through appropriate budget sub-group
4.4.6. Follow corporate SDLC to implement remediation to address the identified gap
4.4.7. Include the AUDIT MGT. in the project status reporting distribution
4.4.8. If third parties are involved, confirm that all legal documents are in place with
the third party entity (i.e. NDA, PCI Compliance standing)
4.4.9. Schedule periodic site visits to the third party facility with AUDIT MGT. staff
for facility and process review
4.4.10. Log findings and address any compliance issues
4.4.11. If compliance issues, contact third party liaison and determine
5. Status & Reporting: Gap/Remediation Project Owners and PM’s are required to keep
the AUDIT MGT. Team informed of their efforts to move towards compliance. These
updates are required and requested by upper management so that a high level
COMPLIANCE/REGULATORY compliance and remediation status can be known and
5.1. Responsibility: It is the responsibility of the Remediation Project Manager if
designated or if there is no assigned PM, the responsibility of the business/gap
owner to report the gap/remediation project status.
5.2. Report Status to: Gap and remediation project status updates are to be made to the
AUDIT MGT. Team, specifically the AUDIT MGT. Team project manager.
5.3. Report Frequency: Remediation project status is required to be communicated at a
5.4. Report Content: Gap and remediation project status updates should include when
5.4.1. Defined and assigned “Gap/Remediation Owner/s”
5.4.2. Project Manager (if assigned)
5.4.3. “Remediation Project Team” meeting status and schedule
5.4.4. Remediation strategy status (i.e. strategy development, budgeting, testing)
5.4.5. Remediation timeline (high level timeline of final implementation/change)