Let's take a look at the PCI SSC guidelines on remote PCI DSS assessments during the Covid-19 pandemic.
The PCI SSC has received many questions about the issue of remote assessments given the current situation involving the coronavirus restrictions on travel and meetings. Today the PCI SSC has published guidance on the PCI Perspectives Blog on the issue of remote assessments. Please take time to read the blog post.
PCI SSC has established a webpage dedicated to news related to coronavirus related topics and issues during this time: https://www.pcisecuritystandards.org/covid19. This page will be regularly updated with news about PCI SSC events, and news related to payment security-related issues that are impacted by the global response to the coronavirus.
Please continue to check back with both our webpage and blog for regular updates.
PCI Security Standards Council
Troy Leach, Senior Vice President, Engagement Officer, PCI SSC, discusses guidance for performing assessments in light of the recent coronavirus outbreak.
The PCI SSC has received many questions about the issue of remote assessments given the unfolding global situation involving the spread of the coronavirus and international efforts to contain it. On this blog we provide guidance to the assessor community on remote assessments.
PCI SSC recognizes that the unusual circumstances associated with the coronavirus are not limited to congregation of large groups for meetings and conferences, but may also impact other activities that typically require in-country or global travel, such as PCI assessments against the PCI DSS, Card Production, P2PE, and PIN standards. While onsite assessments are always expected, in this unique circumstance, individual health and safety must be considered when making decisions regarding onsite assessments.
Does an assessor need to be onsite?
PCI SSC recognizes there may be exceptional circumstances that temporarily prevent an assessor from being able to travel to an onsite location to conduct an assessment, such as travel advisories or restrictions relating to coronavirus. In the event an onsite assessment is not currently possible due to such circumstances, assessors should follow the guidance in this blog.
When performing a remote assessment, assessors must ensure that any validation they perform remotely provides the necessary level of assurance that the controls are properly implemented and requirements are met before they sign off that a requirement is “in place” and complete a report on compliance.
Maintaining the Integrity of the Assessment
Assessors must take all necessary steps to ensure that the integrity of the assessment isn’t negatively affected by remote testing – for example, when testing remotely, special precautions may be necessary to ensure that the personnel being interviewed and system components being examined are the same as if the assessor was onsite. The methods used for observing implementations and collecting evidence must also provide at least the same level of assurance as for an onsite assessment.
Assessors must also clearly document within the Report on Compliance why onsite testing wasn’t performed and how the remote testing provided an equivalent level of assurance. All relevant evidence must be retained as part of the workpapers for the assessment, in case of audit or other requests.
Additionally, assessor companies may also consider engaging qualified local assessor resources to assist. For example, for a PCI DSS assessment, if the primary QSA is unable to travel to the onsite location due to health concerns, they may engage an approved subcontractor to perform onsite aspects of the assessment in accordance with the QSA program requirements.
All measures should be taken to ensure the results of a remote assessment are commensurate with those resulting from an onsite assessment; it may therefore take longer to conduct the assessment remotely. Additionally, certain types of tests can only be done in-person and completion delays may be unavoidable.
All questions about how completion of an assessment may impact compliance should be addressed to the entity’s acquirer or the applicable payment brands.
General guidance for QSAs around onsite and remote assessments is also provided in FAQ 1455 which can be found here.
For more information and updates of how the coronavirus may impact PCI events, requirements or other activity, please visit our dedicated webpage. The PCI Perspectives blog will be updated with the latest information. Subscribe to the blog to receive instant email notifications.
We appreciate your understanding as we work with this evolving situation. We wish you good health and safety wherever you may be.