Case Study PCI DSS Compliance PMO Success Story Our specialists deliver PCI compliance programme management assistance to help our global clients successfully achieve and sustain compliance. A global theme park based in Hong Kong engaged a QSA firm to perform PCI DSS gap analysis and a remediation plan was developed to address identified compliance gaps. The scope of compliance covers the theme park’s hotel, food and beverage (restaurant), retail operations across Hong Kong, back office (HR, finance and business operations), and IT environment (applications, network, security, end user desktop). The client also created a new internal role where a senior security specialist was recruited to manage the remediation program together with the consultant from the QSA firm. Numerous remediation projects in different IT areas were commissioned. Challenges After almost a year, the client and the appointed consultant were still unable to obtain a clear view of the progress for all remediation projects. As the remediation projects were undertaken by project managers and leaders from a number of different IT areas, there were challenges in obtaining the support of various stakeholders in program management reporting. Due to the lack of program management oversight and ownership of program execution, the client was unable to provide on-time and accurate progress reporting of the remediation projects to both local and global senior management. As a result, the senior security specialist in charge of the program left within months of remediation. The replacement left within a year. The client terminated the services of the QSA firm. How Our Advisors Helped Our PCI specialists were then engaged to provide overall program management assistance, global program reporting and PCI DSS subject matter advisory in the remediation projects. Bringing experienced program management leadership and technical subject matter expertise, we were able to address the strategic concerns of the client’s local senior management (CIO and Finance Director), and at the same time offer deep technical insights to the client’s technical project teams. We streamlined and consolidated existing remediation projects into structured workstreams, identified interdependencies between related projects, defined key milestones to meet remediation objectives, communications plans, and enforced the execution plans for all remediation projects. The overall remediation program eventually involved more than 22 IT application and infrastructure projects, as well as 10 business and governance projects. Our team also worked closely with the client’s global compliance group to establish and achieve reporting requirements. Throughout the program, our PCI specialists also provided practical technical advice by understanding the client’s technical environment and interpreting the compliance requirements specifically for the client’s situation. We also developed different compliance and remediation monitoring methodologies by adapting to the client’s corporate culture, governance frameworks and expectations of key stakeholders. measurity After 6 months of execution, the client achieved PCI DSS compliance after the global appointed QSA from U.S. performed the onsite validation assessment. Key Success Factors Among many success factors, the most crucial one was that we were quick to identify that a large scale compliance remediation program requires more than technical knowledge. Hence, our advisors are equipped with strong communication skills to engage in deep discussion topics with both senior management and technical personnel. This was achieved despite the fact that we do not speak Cantonese, which was the main conversational language in the client’s environment. Another important factor that contributed significantly to the client’s success is our strong leadership skills, which supported the client’s program manager by uniting internal and external remediation project teams with differing perspectives. Lastly, the team also successfully bridged the communications challenges between business and technical domains by interpreting specific compliance considerations and their interdependencies. About Us We help organizations address growth, performance and governance challenges in the rapidly developing Asian economies. Measurity’s senior advisors bring insights using structured methodologies integrated with proven domain expertise and decades of industry experience. Our services are designed to create visible value that is verifiably measurable, pragmatically actionable and inextricably linked to your performance indicators. More importantly, we build critical organizational capabilities so you can achieve measurable success, purposeful results and sustainable outcomes. Contact us Lim Wei Chieh Executive Director T: +65 9382 8982 E: [email protected] Edmund Ang Executive Director T: +65 9383 7072 E: [email protected] Find out more at measurity.com © MEASURITY ™ is a professional training and consulting services firm branded under ASEANTLC PTE. LTD. (Registration No.: 201406978D), a Singapore incorporated company. ASEANTLC is part of the TLC network of professional services firms operating in the Asia Pacific region.