When most people think about PCI DSS, they picture firewalls, encryption, and penetration tests. Technical controls naturally dominate the conversation. But in practice, one of the most significant risks to PCI DSS compliance isn’t found in your firewall or code – it’s in your people.
High staff turnover, or the revolving door problem, quietly undermines compliance programmes every year. If your people come and go faster than your processes can keep up, the chances are you’re carrying risk without realising it.
This isn’t just a theoretical issue. As QSAs, we see it first-hand: environments where good people have left, their knowledge has gone with them, and compliance has become fragile.
Let’s explore where churn hits hardest, why it matters for PCI DSS, and what you can do about it.
Where employee churn undermines PCI DSS
Access control and user management: One of PCI DSS’s fundamentals is ensuring only the right people have the proper access at the right time. When joiners, movers, and leavers processes don’t keep pace with reality, dormant accounts linger and excessive privileges build up. These are red flags for both security risk and compliance failure.
Knowledge gaps: In many businesses, a handful of individuals are the ones who really understand how cardholder data is stored, transmitted, or protected. When they leave, entire chunks of operational knowledge disappear. Their replacements may not know why something was configured a certain way, which makes assessments more painful and ongoing compliance much weaker.
Policy and awareness: PCI DSS requires annual security awareness training. That’s fine on paper, but in a high-churn environment, you constantly have new staff who may never have been onboarded into PCI DSS responsibilities. The risk? Policies that look good in an audit pack but don’t reflect reality on the shop floor or in the call centre.
Evidence continuity: Compliance lives and dies on evidence. If last year’s team gathered logs, screenshots, and records one way, and that person has since moved on, there’s often no repeatable process in place. We frequently find ourselves asking, “How did you demonstrate this control last year?” – only to be met with blank stares.
The QSA perspective: how churn shows up in assessments
When we sit down with clients during assessments, churn manifests in very recognisable patterns:
- Lost evidence trails: Nobody knows why a control was set up or where the proof is stored.
- Over-reliance on individuals: One person still holds the keys – until they don’t.
- Box-ticking instead of BAU: New teams inherit a compliance “binder” but don’t understand what’s behind it.
This often leads to elongated assessments, extra remediation work, and sometimes a real risk to maintaining PCI DSS compliance status.
Why PCI DSS v4 makes churn riskier
Version 4 of the standard has shifted the emphasis towards business-as-usual. It’s no longer enough to show compliance once a year. Requirements now expect continuous processes, targeted risk analysis, and demonstrable resilience.
That means your PCI DSS programme can’t rely on a handful of individuals or one annual push to “get compliant”. If compliance falls apart when someone leaves, you’re not aligned with v4’s intent.
Building resilience in individuals
Forward-thinking organisations approach PCI DSS as an organisational capability, not an individual’s responsibility. The goal is to make compliance survive staff turnover.
That involves:
- Clear documentation: Not just policies, but practical runbooks on how controls are operated on a day-to-day basis.
- Shared ownership: Spreading responsibility across teams so no single person is a point of failure.
- Automation, where possible: Reduces manual effort in log reviews, access provisioning, and evidence collection.
- Regular knowledge transfer: Including cross-training, team briefings, and review sessions to maintain broad awareness.
The leadership and culture angle
Employee churn isn’t always random – sometimes it’s a symptom of culture. If PCI DSS responsibilities feel like an unrewarded burden, your staff can burn out or disengage. That in turn fuels shortcuts, weak processes, and rising risk.
Leaders who take compliance seriously – not just as a tick-box but as part of protecting customers and brand reputation – create an environment where employees see purpose in PCI tasks. Framing and recognition matter too. Even small acknowledgements can shift compliance activity from “extra work” to “part of doing the job well.”
Practical steps to protect compliance from churn
There are simple measures every organisation can take:
- Regular gap analysis: Identify whether turnover has created blind spots in processes or evidence.
- Onboarding and offboarding playbooks: Ensure HR and IT processes directly map to PCI DSS requirements.
- Cross-training: Make sure no single engineer or analyst is the sole knowledge holder for critical controls.
- Ongoing compliance support: Don’t treat PCI DSS as an annual event. Continuous checkpoints make churn far less damaging.
Conclusion
Employee churn is inevitable. What isn’t inevitable is letting it erode your PCI DSS compliance. The real test of a compliance programme isn’t how well it works when your best people are in place, but how resilient it is when they leave. By designing PCI DSS as an organisational capability, rather than an individual’s burden, you not only protect compliance but also strengthen your overall security posture.
