In December 2004, the Payment Card Industry Security Standards Council (PCI SSC) released version 1.0 of the Payment Card Industry Data Security Standard (PCI DSS). This standard marked a turning point in the security management that had been applied to payment card data protection up to that point. By organizing a series of physical, logical and administrative controls into different groups and requirements applicable to a specific asset environment and data (cardholder data and sensitive authentication data), it was possible to define a security baseline for managing the risk associated with card payments. These same criteria have persisted throughout the different versions of the standard (currently v3.2.1, published in May 2018).

However, this standard and others like it (such as ISO/IEC 27001 or ISO 22301) do not take into account the size or complexity of the organization in which it is to be implemented, to ensure its uniform applicability in any environment from a generalist perspective. And it is precisely at this point that many projects, both implementation and formal evaluation of PCI DSS, fail to address the compliance project without a defined strategy, regardless of whether the organization is small or large.

Focusing on this last point, what elements should be taken into account to classify an organization as "small" or "large"? It all depends on what we compare it to, with the risk that the result may always be subjective. For reference purposes, the following values could be used to determine the size of an organization from a PCI DSS perspective:

  • Number of physical locations

  • Number of payment channels

  • Number of payment interaction points

  • Number of employees

  • Number of payment transactions processed

If we assume that an organization is "large" (given that the answers to the above questions are significant measures) then we will also assume that the complexity of implementing and operating the standard's security controls will be more difficult than in a small organization, since its risk is proportionally higher.

In that regard, how can a compliance strategy be established that optimizes the effort, time, and cost of implementing PCI DSS controls in a large organization?

To answer this question, in February 2020 the PCI SSC published "PCI DSS for Large Organizations", which lists a number of strategies to improve a large organization's card payment environment within the PCI DSS standard. 

Divide and conquer: solving a difficult problem by breaking it down into simpler parts

An effective strategy for managing large and complex scenarios is to use the concept of "divide and conquer" (from the Latin Dīvide et īmpera), applying recursive logic to reduce a problem into one or several sub-problems of the same class or type as the first one (sub-problems). The solution to the original problem is achieved by combining the solutions of the sub-problems.

Applying this concept, large-scale implementation of PCI DSS controls can be done by dividing the organization into environments, tasks, or business units that are more narrowly defined but have similar characteristics. For example, if a large organization has multiple payment channels in different geographic regions, with different acquirers and even with specific personnel, these elements can be grouped in similar environments, applying compliance actions at a specific level and adjusted to the cases of each of these groups. In the end, the organization’s overall compliance will be the sum of the compliance of these groups.

To ensure consistency throughout the organization, some tasks must be cross-cutting (e.g., implementing security policies and managing projects globally), but others can be specific and customized to each environment based on its risk. It is essential that centralized monitoring of activities is maintained to identify possible deviations and to obtain an overview of the compliance status at any time that is required.

The information supplement "PCI DSS for Large Organizations" identifies a number of critical areas in which this criterion can be applied, as follows:

1. Roles, responsibilities, and ownership

  • Identification of PCI DSS compliance actions at the business unit, functions, or geographic location level.
  • Assigning specific responsibilities based on those actions to specific roles.
  • Use of responsibility assignment matrixes (RACI) to relate activities to resources (individuals or workgroups).

2. Mergers and acquisitions

  • Identification of payment channels to be added or removed.
  • Identification of the compliance levels of the business units to be sold or acquired.
  • Management of PCI DSS alignment activities in each business unit sold or acquired.

3. Managing acquirers and payment channels

  • Identification of the annual transaction level for each existing payment channel and with each acquirer and execution of compliance validations by channel.
  • Execution of PCI DSS validations in the organisation reporting the compliance results of each channel through a single Report on Compliance (RoC) or through separate reports for each payment channel (to be agreed with each acquirer).

4. Multiple audits and assessment

  • Employ a strict controls base as a template at the global level (using an SAQ D, for example) and assess the applicability of controls in each of the identified business units or channels.
  • Establishment of specific dates for each business unit's compliance assessment (compliance and assessment cycles).
  • Status monitoring of compliance documentation and the introduction of new payment channels with each business unit.

5. Education and awareness

  • Identification of roles and responsibilities in the organization.
  • Determine PCI DSS knowledge areas based on the roles identified above.
  • Development of training material based on the topics that each audience requires to know.

6. Systems management to maintain PCI DSS compliance

  • Identification and classification of assets into groups based on similar characteristics (operating system, location, function, etc.)
  • Definition of policies for securing each identified group of assets, including access control, vulnerability assessment, deployment of updates, etc.

7. Laws, regulations, and standards

  • Identification of local laws, regulations, standards and frameworks applicable in each region and/or business unit.
  • Review of compliance status and identification of common controls.

As can be concluded, the strategy for implementing PCI DSS in large organizations is based on four very simple premises:

1. Definition of a strict compliance baseline at the global level of the organization.
2. Identification, classification and organization of assets into groups based on similar characteristics,
3. Analysis of applicability and deployment of PCI DSS controls in each of these groups based on their risk, and
4. Centralization of monitoring, follow-up and compliance reporting.

The success of this process is based on a corporate culture of collaboration and communication, as well as the support and commitment of executive management.

The PCI compliance journey may seem overwhelming, but we are more than ready to walk you through this journey guaranteeing that nothing is missed.  Get in touch with our cyber security experts today to get a free consultation on your cyber security posture.

Get in touch today 


David E. Acosta

Written by David E. Acosta

I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.

Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor