Chapter 8: Step 8 – Remediation Planning – PCI DSS: A Practical Guide to implementing and maintaining compliance, Third Edition


The remediation plan will integrate all findings from each of the assessments (gap, risk, establishing the baseline and audits) to build a combined remediation plan (also known as SIP). Once again, it is well worth assigning experienced and qualified project managers to build a remediation plan; ensuring key stakeholders and sponsors form part of a project review board.

The project manager should develop and deliver the project documentation that will demonstrate the rigour of all the processes described in the previous sections and should outline a clear roadmap on how to deliver the PCI compliance plan within the agreed scope and timeframes.

As a minimum, the remediation plan should include the following:

  • Project start-up and mobilisation of key business stakeholders/sponsors.
  • Production of a project plan i.e. Gantt chart.
  • A detailed remediation plan incorporating all of the findings and what is proposed to be done about them.
  • Allocation of follow-on actions to named individuals.
  • Time frames for fixing/resolving the findings.
  • The remediation plan should also be presented to key stakeholders, the sponsor and senior management.
  • How once implemented, your entity will continue to demonstrate PCI compliance.
  • Comparison to the security improvement plan and how each will run concurrently.

Once developed, the project should be handed over to a business/department manager, who would be responsible to implement the recommendations and provide business-as-usual compliance functions required e.g. audit, improvement, pen testing.

Tip: Whilst the remediation plan will specifically address the issues of PCI compliance, providing, in effect, a project plan of improvements, the SIP should continue to be used as the master document that tracks all improvements, including lessons learned from incidents, audit results (both internal and external) and, therefore, should be used as the basis for continuous improvement of your information security management system.

Figure 10 – An example of a PCI compliance programme time line (6-9 months)