The PCI SCC has recently released a new remote assessment guidelines and procedures. Here we address a number of key questions:
What are the Main Contents?
- A set of principles and procedures which govern how remote assessments of compliance with PCI SSC standards such as PCI DSS must be conducted.
- Detailed best practices and guidelines for remote testing methods used in different types of testing activities.
- A template for justifying the use of remote assessment activities for Reports on Compliance (ROC) and Reports on Validation (ROV).*
- Requirements and expectations for PCI SSC assessors when assessing remotely.
*We will focus particularly on ROCs in this document.
What Led to it Being Published?
With the emergence of COVID-19, the PCI SSC received numerous questions about the role of remote assessments when an onsite assessment could not be performed.
In response to the questions, the Council issued guidance on remote assessments in the form of blogs, webinars and forums. The Remote Assessment Guidelines and Procedures document provides a more formal and detailed approach for the appropriateness and use of remote assessments.
Is the Council Endorsing the Use of Remote Assessments?
The answer is yes but with a number of provisos attached. The Council’s preference is for assessments of compliance against its standards to be conducted onsite. It is argued that onsite assessments provide greater insights and security assurance than remote assessments.
As such, fully remote assessments should only be considered when there are clear and unavoidable barriers preventing an onsite assessment from taking place. If these barriers are not present, assessors are expected to perform onsite assessments.
Ultimately, it is about assessors being able to obtain the level of assurance that organisations are fully meeting the requirements of a PCI Standard, such as PCI DSS.
Are PCI Remote Assessments Easier and Quicker to Conduct?
In many other fields the answer to this question maybe yes, but it is usually not the case with PCI assessments. Remote assessments will typically require meticulous and detailed preparation and planning (including a feasibility study) and may take more time to complete than an onsite assessment.
Assessors are required to apply the same rigour and integrity to remote assessments as onsite assessments and there may be scenarios where onsite testing is required in order for the assessment to be completed.
What are the Main Requirements Attached to Conducting Remote Assessments?
Remote assessments should be undertaken only after a thorough feasibility analysis has been conducted. The feasibility study provides an opportunity for the client and the assessor to work together to discuss the scope, challenges, and potential risks of a remote assessment.
The feasibility analysis results must be included with the applicable ROC. It is very important that there is extensive communication between the assessor and the organisation not just during the planning stage of the assessment, but through the duration of the assessment.
There should be, for example, a continuous monitoring and evaluation of the remote testing methods to ensure they are effective and to determine whether additional testing may be needed.
Remote assessment activities must not reduce or negatively impact the security of the environment being assessed.
If a remote assessment would breach an entity’s security rules, an onsite assessment will be required. Remote assessment activities must, also, not violate a PCI standard security requirement in order to assess that environment to the standard.
The assessor is ultimately accountable to evaluate the level of assurance the remote assessment provides. If the assessor is unable to obtain the level of assurance needed to produce a passing audit result an onsite assessment must be arranged or the assessment remains incomplete.
Where are Remote Assessments ‘Appropriate’?
- Where external factors restrict or hinder onsite assessments from being conducted. There may be health and safety restrictions that have been imposed by government bodies that prevent assessors from travelling to a site or being on a site which involves face-to-face contact. There also may be geographic locations which are physically inaccessible or difficult to reach.
- Where business and operational practicalities support the use of remote assessment methods over onsite testing. The organisation being assessed may operate totally in the Cloud and does not have any physical premises or facilities. There is also the scenario where an organisation has outsourced all its infrastructure to a third-party provider which has been separately assessed as being PCI compliant and where all the outsourcing organisation’s staff work from home.
- Where the assessment requirements for a particular location are limited to documentation (e.g. policies and processes) reviews* and interviews, and where there are no requirements to observe processes, systems, or the physical environment of the organisation.
*There may be rare instances where due to the confidentiality of documentation, organisations will only allow them to be reviewed on site.
In essence, the reasons for not completing onsite assessments should be defendable and based on a rational and realistic evaluation of the situation. Furthermore, the assessor must be able to obtain the level of assurance that is required to assess a certain requirement.
If that level of assurance is not achieved, the assessor must look for ways to obtain that level of assurance, which may involve the assessment continuing on the organisation’s site.
Where are Remote Assessments not Appropriate?
The simple answer to this question is the converse of the previous question, i.e. where it is not possible to defend a remote assessment on rational and realistic evaluation of the situation and where it is not possible for an assessor to obtain the level of assurance required to assess a specific requirement.
There are a number of reasons why the PCI SSC’s expectation is for PCI DSS assessments to be conducted onsite wherever possible, these include:
- With onsite assessments, assessors have greater ability to witness processes and controls first-hand and as they occur.
- There is also less opportunity for non-compliances to be hidden or excluded from the review.
- It is more efficient and quicker to interact with the client face to face, where assessors are able to gauge the interviewees’ understanding and knowledge of PCI DSS.
- When the assessor is onsite, it is also easier to pull additional resources into an interview where required. URM’s experiences when conducting remote assessments through the COVID-19 pandemic reinforces some of these arguments.
With remote assessments, there is undoubtedly a greater requirement for careful planning on both sides to ensure that the assessor will be able to gather the required evidence and assurance to determine whether a requirement is in place or not.
If that requirement cannot be achieved, the assessment is considered incomplete until onsite testing can be performed.
Are there Additional Documentation Requirements in Completing a ROC?
Yes, the Guidelines document has introduced an Appendix A, Addendum for ROC/ROV. This addendum provides the assessor with an opportunity to explain why the decision was made to perform the assessment remotely and to what extent.
It also requires the assessor to document the types of testing that was performed remotely such as reviewing documentation, interviewing personnel, etc. The assessor must also attest that a thorough assessment was conducted and a high degree of confidence in the overall assessment has been achieved.
It is imperative that the assessor is able to ‘defend’ the decision of choosing a remote assessment, and the findings in the ROC. As referred to previously, the results of the feasibility analysis must be included with the applicable ROC.
How Does the PCI SSC Document Help?
Apart from providing guidance on procedures, the document includes best practices and guidelines for remote testing methods, e.g. documentation reviews, interviews, examination of systems and data, and observations of processes and physical environments, and interactive testing.
With each type of testing activity, the document explores:
- Potential challenges and considerations of remote assessments, e.g. factors affecting reliability of evidence.
- Additional testing activities to help mitigate reliability and assurance gaps.
- Potential scenarios where remote testing might not be feasible.
What about Post COVID-19?
The document is intended to support the appropriate use of remote assessments beyond the COVID-19 pandemic. The document includes a number of scenarios where it is not feasible to complete an onsite assessment and more importantly how remote assessments may be utilised to support such scenarios.
URM’s Assessment on New Guidelines
It is definitely welcomed that the SSC has issued a formal document on the appropriate use of remote assessments and when these should occur.
It is important to understand that remote assessments are not ‘short cut’ or ‘convenient’ assessments and conducting them requires meticulous planning, a close working relationship between the assessor and client, and the need to provide detailed additional documentation when completing the ROC.
Equally, it is welcomed that we now have clear guidelines on the processes to follow should it not be possible to conduct onsite assessments for external reasons (e.g. health and safety or inaccessible locations) or where business and operational practicalities lend themselves to onsite assessments (e.g. Cloud-based operations or where testing is limited to interviews or document reviews).
Ultimately however, every organisation is different and URM will be able to advise on the suitability of either remote or online assessments or indeed a combination of the two.
Fully remote assessments should only be considered when there are clear and unavoidable barriers preventing an onsite assessment from taking place.