Page 26 - GS20801
P. 26
Education
A comprehensive Security Standards Council (PCI SSC) updated guidance
for on-site assessments.
look at PCI remote Adapting to a new lifestyle
assessment The PCI SSC's intent is for the majority of assessment
testing to be performed by QSAs at physical business
locations. Certain validation methods, such as first-hand
observations of a process being performed or confirmation
of a physical security control in place, could typically be
considered valid only if the assessor was at the site in-
person.
However, even before COVID-19, on-site assessment of
some PCI DSS controls wasn't always possible, practical
or necessary. The PCI SSC acknowledged in 2017 that
assessment of some PCI DSS requirements can be achieved
remotely. The council outlined scenarios where on-site
assessment may be "unreasonable and unnecessary"
such that remote assess could be justified. However, this
guidance also clarified that QSAs must be able to defend
the remote performance of any testing procedure and
that remote assessment activities are "expected to be the
By Natasja Bolton exception."
Sysnet Global Solutions
In response to the COVID-19 crisis, the PCI SSC updated
ompanies involved in card payment process- its remote assessment guidance. Assessors and those
ing and ones that store, process or transmit participating in assessments may be put at risk of infection
payment card data must have security systems by meeting in person. In addition, governments have
C and controls regularly assessed against the implemented country-wide travel bans on non-essential
requirements of the Payment Card Industry Data Security travel, encouraged quarantine and self-isolation for those
Standard (PCI DSS). This is even more important now most at risk and, in some cases, closed their country's
as cyber criminals adjust their tactics and increase cyber borders.
attacks to exploit the COVID-19 pandemic.
Recognizing that local conditions may prevent on-site
Maintaining security controls at all times is vital to protect assessment in the short-term, the PCI SSC gave more
both businesses and customer payment card data. But detailed guidance on what is expected of assessors. This
with lockdown in place in many countries, can PCI DSS covers the need for a documented justification for remote
compliance assessments be undertaken remotely? testing activity and steps to ensure the remote testing has
the same rigor as an on-site assessment and provides an
A PCI DSS compliance assessment is simply a point in equivalent level of assurance that PCI DSS controls are in
time to check that everything is working properly. The place. The council's guidance is relevant for all types of
compliance assessment — especially when performed by PCI SSC assessment where on-site testing isn't possible,
an independent PCI Qualified Security Assessor (QSA) — not just PCI DSS compliance.
re-confirms for a business (and other interested parties
such as their acquiring bank) that applicable security With support from the PCI SSC, rather than postponing
controls are in place and working properly. clients' compliance assessments, assessors have been able
to justify and perform remote assessments. Activities
Ordinarily, most aspects of PCI DSS assessments occur that would usually take place on-site, like physical site
on-site at data centers, offices, retail stores, etc. However, inspections, interviews and over-the-shoulder observations
with lockdown and national and international travel (where the QSA has something demonstrated or shown to
restrictions hindering movement, on-site assessment may them), can be completed remotely. On-site personnel can
not be possible. This has led many businesses to believe provide QSAs real-time video observations of site security
their QSA cannot complete their annual assessment and controls; interviews can be completed using secure web
caused some third-party service providers to claim they conferencing platforms; and administrators working from
cannot provide their customers an annual Attestation of home can remotely access systems to be tested and share
Compliance due to COVID-19's rendering on-site elements their desktops so QSAs can observe their actions. These
of their assessment impossible. allow assessment procedures to be conducted as expected.
This isn't the case. Just as businesses have adapted to new Having succeeded with remote assessments this year,
ways of working under COVID-19, so too has the PCI many businesses may want to do assessments remotely
26
