Documenting Your PCI Compliance Program: Minimizing the Impact When a Key Employee Leaves

Life is great. You have an awesome PCI Team Coordinator that has been handling your compliance efforts for almost 10 years. They have established a well-run program, monitor all merchant payment processes throughout the year, successfully lead the merchants through annual SAQs, documentation updates, approve and set up new MIDs, review any new applications….and everything else that goes along with PCI compliance. What happens if that staff member comes to you with the news that they have accepted another position or they are taking early retirement? Depending on the new role they are taking, they may not be available to train their replacement. Now what?


Key employees, especially those that have been with your organization for an extended period of time, have organizational knowledge, developed expertise, and on-the-job experience that can be difficult to replace. 

It is important to capture and retain organizational knowledge throughout the career of each team member. As with any effort, it is key to not only establish processes, but to document those processes for your payment card merchants to follow.  Ensure you have formalized your PCI program with well-defined policies, procedures, and guidance documents that are stored centrally and access to these tools are shared across the organization.  This will help to ensure that knowledge, accumulated over time, is not solely retained by a key team member.  Deploying automated tools and technologies to assist with your compliance efforts can also help ensure compliance can continue as part of your business as usual.

If we focus specifically on your organization’s payment card security program, below is a detailed list of the primary processes you should have documented to avoid a compliance scramble:

1.) Establishing a new merchant

a.) New merchant application

b.) Formal approval process

c.) Instructions for setting up a new MID with your acquiring bank

d.) Instructions for setting up a new ecommerce site

e.) Approved options for solutions, equipment, and their costs

f.) Third-party vendor security review process for solutions that have not already been approved


2.) Evaluating payment methods

a.) Approved/standardized payment methods

b.) Approved equipment/devices

c.) Approved third-party service providers


3.) Merchant Responsibilities

a.) Merchant points of contact

b.) Attestation due dates/timelines

c.) Sample notifications explaining requirements

d.) Annual or semi-annual merchant survey

e.) Merchant payment card procedures

f.) Applicable SAQ Guidance for your merchants

g.) Network diagrams/cardholder data flow diagrams

h.) Staff awareness training lists

i.) Device inspection logs

j.) Guidance for submitting vulnerability scan reports


4.) PCI Compliance Program Documentation

a.) Merchant Inventory/device Inventory

b.) Payment Card Policy and staff acknowledgements

c.) Data Retention and Disposal Policy


5.) Vendor Management

a.) Required PCI contract/addendum language

b.) Inventory of third-party service providers

c.) Annual compliance documentation (AoCs for each vendor and applicable dates for renewal)

d.) Contacts for third-party service providers


6.) Incident Management

a.) Incident Response Plan

b.) Breach notification requirements (within third-party contracts as well)

c.) Contacts for acquiring bank and card brands

If your team needs assistance in the development of any of these key processes or documents, don’t hesitate to reach out to your dedicated CampusGuard Customer Advocate team.

Some additional guidance from the Customer Relationship Management team:

[Rasmusen]: Having a PCI Team that includes members from different areas can help your organization be prepared and ensure the responsibility does not fall on one department. We recommend having representatives from: Finance, Controller’s Office, Internal Audit, Information Technology and Information Security, as well as members from the merchant community. Our compliance portal, CampusGuard Central®, can be used to store and track necessary documentation ongoing so as team members change information is not lost. With the upcoming release of PCI DSS version 4.0 next year, verifying all of your processes and procedures are documented now will also help your team make a smooth transition and incorporate in any applicable changes. Please reach out to use for a free CampusGuard Central Demo.