Business Continuity Plans within the PCI DSS

Business Continuity Plans within the PCI DSS | URM Consulting, blog, pci dss, business continuity, business continuity plans, pci dss and business continuity, iso 22301, urm consulting, pandemic planning pcidss,,

A great many organisations have recently realised that their business continuity plans (BCPs) failed to consider a scenario in which a global pandemic necessitates total remote working.  As such, continuing to maintain business as usual with staff confined to their homes has been challenging.  Not least of the many challenges, this has created concerns PCI DSS compliance.

Firstly, what does the PCI DSS say about BCPs?  The short answer is, surprisingly little.  Plans are only mentioned in a single requirement, almost as if it were merely a passing thought had by the author and quickly forgotten.  For the curious and the purists out there, that requirement is 12.10.1, where it states that your incident response plan should (among other things) address business recovery and continuity procedures.  That’s it, one single line in a 300 plus page Standard.  So, what on earth are you supposed to do to maintain compliance during the adoption of a new business continuity process?

Well the answer, as regular readers of this blog (or listeners of our webinars) will recognise, is ‘it’s complicated’. However, it can be condensed down into a single word ‘scope’.  That is to say, any implementation of a business continuity process will, in all likelihood, significantly alter the scope of your PCI DSS compliance.  Therefore, whilst adopting a new process, you need to accurately assess the change to your scope and then determine what that means in order to remain compliant with the relevant requirements of the Standard.

In an ideal situation, your business continuity planning would have considered the impact of any given scenario on your PCI DSS scope and included the actions to take to adapt your business processes to the new scope.  In reality, most businesses overlooked the PCI DSS scope requirements within their BCPs. 

So, here’s our advice:

Take the time now to completely reassess your PCI DSS scope to ensure you are back to a compliant state as soon as reasonably possible. Also, speak to your acquiring bank, because it looks like the current situation, which caused you to invoke your BCP, is not going away anytime soon.