Page 42 - GS200401
P. 42
Education
Do accurate assessments environment, the hardware is often deep in a data
centre or, more commonly, consists of virtual
during pandemic – remotely machines running on a cloud service provider.
A client can log in remotely and allow the QSA
to view their configuration and rule sets. So,
By James Devoy when does physical assessment become a remote
Sysnet Global Solutions assessment? What differentiates the scenarios
below?
OVID-19 is changing many aspects of daily life. Some 1. When on-site the QSA conducts an in-per-
will be short-term measures to see us all through the son observational interview with an IT tech-
pandemic, although I wonder how many will become nician who logs onto the corporate firewall
C permanent fixtures. The PCI Security Standards Council or a server via a remote desktop session. The
provided guidance to allow Qualified Security Assessor (QSA) com- QSA validates that the device is the true de-
panies to carry out remote assessments. This will go a long way to vice by using network commands, or simi-
alleviate fears, because service providers have worried that their lar, to verify it's not a dummy machine con-
card brand listings would be removed if they could not achieve figured to pass an assessment.
compliance due to travel bans and staff isolation.
Good news 2. The QSA initiates, from the QSA com-
pany's office (or home office) a remote ses-
The Payment Card Industry Data Security Standard never banned sion to the client's IT technician, using for
remote assessments; they could always be used if the parties to example GoToMeeting or Microsoft Teams.
the assessment could defend and stand over their decision to use The technician then shares their desktop
this methodology. Sysnet has, for example, used remote assessment and, using their remote desktop, logs onto
for clients with locations in high-risk countries. In a modern IT the firewall or server. Techniques used to
validate device identity are the same as
used onsite.
The only technical difference is that an extra
"hop" exists in a remote viewing session.
We’re More Than an Authorization Multiple benefits
We’re The Best Solution For You and Your Merchants One major aspect of the interview during an
assessment is to look into the eyes and observe
the demeanor of the interviewee. An experienced
assessor will sense that all is well and the
interviewee is being honest. This can be missing
from a remote assessment.
However, remote assessment is a perfectly
adequate methodology. In a PCI DSS assessment
RETAIL/POS DEVELOPERS
the client is duty-bound to be truthful, and
the QSA adopts a "trust but verify" mindset.
eCOMMERCE
Ideally, both parties work together in an honest,
transparent way to achieve their common goal. If
a client becomes breached and they are found to
have used subterfuge during an assessment, they
MOBILE QUICKBOOKS will bear the consequences.
Plus ePN offers customized, versatile services The coronavirus virus is teaching us new ways
to help you support your business of working; the remote assessment may become a
de facto way to undertake assessments even after
EMV • Level III • Inventory • CDM • QuickBooks • Bill Pay • Recurring Payments
the virus has passed. This has multiple benefits.
Through our ePN Partnership, ISOs/MSPs will experience: It cuts assessment costs by eliminating travel and
• No fee, lead distribution hotel expenses, cuts the carbon impact of travel,
• FREE online documentation, development test account, and sample code for and reduces QSA travel time, giving them better
experienced developers work/life balance. Good news for all. Only time
• FREE brandable marketing materials through our Reseller Support Center will tell.
(800) 296-4810 • eProcessingNetwork.com By James Devoy is chief security officer and executive vice
president, cyber risk division at Sysnet Global Solutions.
© eProcessing Network, LLC. All Rights Reserved. All trademarks are the property of their respective holders.
Contact him at info@sysnetgs.com.
42
