Guidelines from PCI SSC has been issued for the very important topic of remote assessment during this unusual time of the Corona virus pandemic. It’s undeniable that this crisis has been very disruptive to the global economy and to your normal day-to-day business activities. Stay-in-place orders and travel restrictions impact a range of necessary business activities including things like the Payment Card Industry (PCI) assessments against the PCI DSS, P2PE, PIN standards and card production. As a QSA & QPA of the PCI Security Standards Council, we would like to make you aware of some important and helpful guidance related to remote assessments that PCI SSC has recently put out.
Does an assessor need to be onsite?
PCI SSC recognizes there may be exceptional circumstances that temporarily prevent an assessor from being able to travel to an onsite location to conduct an assessment, such as travel advisories or restrictions relating to Corona virus. In the event an onsite assessment is not currently possible due to such circumstances, assessors should follow the guidance in this blog.
When performing a remote assessment, assessors must ensure that any validation they perform remotely provides the necessary level of assurance that the controls are properly implemented and requirements are met before they sign off that a requirement is “in place” and complete a report on compliance.
Maintaining the Integrity of the Assessment
Assessors must take all necessary steps to ensure that the integrity of the assessment isn’t negatively affected by remote testing – for example, when testing remotely, special precautions may be necessary to ensure that the personnel being interviewed and system components being examined are the same as if the assessor was onsite. The methods used for observing implementations and collecting evidence must also provide at least the same level of assurance as for an onsite assessment.
Assessors must also clearly document within the report on Compliance why onsite testing wasn’t performed and how the remote testing provided an equivalent level of assurance. All relevant evidence must be retained as part of the work papers for the assessment, in case of audit or other request.
Additionally, assessor companies may also consider engaging qualified local assessor resources to assist. For example, for a PCI DSS assessment, if the primary QSA is unable to travel to the onsite location due to health concerns, they may engage an approved subcontractor to perform onsite aspects of the assessment in accordance with the QSA program requirements.
All measures should be taken to ensure the results of a remote assessment are commensurate with those resulting from an onsite assessment; it may therefore take longer to conduct the assessment remotely. Additionally, certain types of tests can only be done in-person and completion delays may be unavoidable.
All questions about how completion of an assessment may impact compliance should be addressed to the entity’s acquirer or the applicable payment brands.
General guidance for QSAs around onsite and remote assessments is also provided in FAQ 1455 which can be found here.