Coronavirus and Remote PCI Assessments
In an unprecedented move, the Payment Card Industry Security Standards Council (PCI SSC) is allowing fully remote assessments. PCI SSC has always made it clear that it intends for on-site testing to be the norm, with the majority of PCI DSS assessment testing completed at the client’s physical location.
In a blog published yesterday, however, Tony Leach, Senior Vice President, Engagement Officer, PCI SSC, provided guidance for performing assessments in light of the recent coronavirus outbreak.
In the blog he stated – ‘PCI SSC recognizes that the unusual circumstances associated with the coronavirus. While onsite assessments are always expected, in this unique circumstance, individual health and safety must be considered when making decisions regarding onsite assessments.
When performing a remote assessment, assessors must ensure that any validation they perform remotely provides the necessary level of assurance that the controls are properly implemented and requirements are met before they sign off that a requirement is ‘in place’ and complete a report on compliance. It may therefore take longer to conduct the assessment remotely.
Assessors must take all necessary steps to ensure that the integrity of the assessment isn’t negatively affected by remote testing – for example, when testing remotely, special precautions may be necessary to ensure that the personnel being interviewed and system components being examined are the same as if the assessor was onsite.
All measures should be taken to ensure the results of a remote assessment are commensurate with those resulting from an onsite assessment. The methods used for observing implementations and collecting evidence must also provide at least the same level of assurance as for an onsite assessment. Assessors must also clearly document within the Report on Compliance (RoC) why onsite testing wasn’t performed and how the remote testing provided an equivalent level of assurance. All relevant evidence must be retained as part of the workpapers for the assessment, in case of audit or other request.’
So, whilst remote assessments will be permitted, should coronavirus measures dictate that on-site assessment isn’t feasible, there is an obligation on qualified security assessors (QSAs) to ensure they retain the integrity of the assessment and produce defendable, well-documented RoCs with sufficient evidence and sampling. At URM, we have made considerable investments during the past 12 months to facilitate remote working and as the Coronavirus situation has developed, we have given consideration as to how we can best ensure ‘business as usual’ i.e. assessments are conducted and RoCs validated/SAQs completed in a timely manner.
We have access to video conferencing facilities such as Skype/Teams etc. and can facilitate screen sharing. URM also champions the use of video capability for the more challenging remote assessment of areas, such as physical security. So, whatever the situation and whenever your PCI assessment is due, URM will ensure that we can work flexibly with you to ensure ‘business as usual’.