A3.2.3 Changes to organizational structure result in a formal (documented) review of the impact to PCI DSS scope and applicability of controls.

Original requirement from PCI DSS v4.0.1

Defined Approach Requirements

PCI DSS Reference: Requirement 12

Customized Approach Objective

This requirement is not eligible for the customized approach.

Defined Approach Testing Procedures

A3.2.3 Examine policies and procedures to verify that a change to organizational structure results in a formal review of the impact on PCI DSS scope and applicability of controls.

Purpose

An organization's structure and management define the requirements and protocol for effective and secure operations. Changes to this structure could have negative effects to existing controls and frameworks by reallocating or removing resources that once supported PCI DSS controls or inheriting new responsibilities that may not have established controls in place. Therefore, it is important to revisit PCI DSS scope and controls when there are changes to an organization's structure and management to ensure controls are in place and active.

Examples

Changes to organizational structure include, but are not limited to, company mergers or acquisitions, and significant changes or reassignments of personnel with responsibility for security control.

purpose

Designated Entities must maintain documentation of PCI DSS scope confirmation activities.

compliance strategies

Scope review logs
Documentation retention

typical policies

Scope Review Documentation Policy

common pitfalls

No evidence of scope confirmation

type

Documentation Control

difficulty

Low

key risks

Inability to demonstrate compliance

recommendations

Centralize scope documentation