Page 27 - GS20801
P. 27
Education
again next year to save on travel and expenses. on the PCI SSC website that include any "not tested" requirements
But that can only be done where a defendable will not be accepted by the council.
justification for carrying out testing remotely
still exists. The PCI SSC's position remains No longer a last resort
that assessments should be completed on-site In some cases, scheduling remote assessment video calls is easier
wherever possible. than coordinating with multiple people for on-site assessments;
Keeping up with quality however, it may require additional time and effort to achieve rigour
comparable to that of on-site testing.
With the updated council guidance there's
no excuse for organizations to assume they Once lockdown is lifted, the PCI SSC is not expected to change its
can't complete annual assessments due to position that on-site assessments be the norm. However, the council's
COVID-19 restrictions. Organizations should public statements clarifying when and how remote testing can be
work with assessors to explore acceptable justified, and both assessors' and assessed entities' recent practical
ways to perform testing remotely, allowing experience of remote assessment, have raised awareness that remote
them to validate their compliance on time. testing is a viable alternative to face-to-face assessments.
That doesn't mean remote testing is without Natasja Bolton, Strategic Partner Support Engagement Manager, Cyber Risk Services
problems or is always possible. For example, at Sysnet Global Solutions, is a PCI Qualified Security Assessor and information
the assessed entity's staff may be prohibited
from visiting a site to support the assessor's security professional with over 20 years' experience. In her role, Natasja engages
remote video observation. Or a suitable with Sysnet's acquiring clients and their merchant customers, delivering guid-
remote testing method may not be available ance and support on payment security and the PCI standards. She is also a long-
— QSAs aren't permitted to ask organizations time member of the PCI SSC's Small Merchant Taskforce. She can be reached at
to breach a PCI DSS requirement or disable or natasja.bolton@sysnetgs.com.
circumvent security controls to enable remote
testing.
QSAs also must ensure remote assessment
integrity. Assessors may need to perform
more work to ensure the results are valid;
assessed entities may need to provide Payment Solutions
additional evidence to assessors. For example,
the QSA must confirm the systems presented For App Developers
for testing are the ones they selected and are
the same ones that would have been examined
on-site. All measures taken to ensure accurate
remote testing results that are equivalent to eProcessing Network provides
expected results from an on-site assessment payment solutions that intergrate
must be recorded by the QSA in the assessed
entity's Report on Compliance. directly into web pages, shopping
carts, third-party software,
For some organizations it may be impossible to and mobile apps for both iOS
accommodate remote testing of some PCI DSS and Android.
controls. For example, an isolated data centre
where no site visits are permitted or one where ePN’s FREE Developer
cameras are prohibited. In that case, the QSA
must report the affected PCI DSS requirements Support Center provides
as "not tested," and the organization cannot be online documentation,
validated as compliant. sample code, and support
A QSA cannot indicate full PCI DSS compliance for registered developers.
if any applicable requirements were excluded
from testing; "not tested" is not an affirmative ePN has payment options to fit all of
answer as required to indicate compliance in
Part 3 of the Attestation of Compliance. Where your merchant’s needs
one or more requirement cannot be tested (800) 296-4810
either on-site or remotely, organizations are
advised to engage with their acquiring bank eProcessingNetwork.com
or the payment brands to discuss options.
Assessments for programs and solutions listed © eProcessing Network, LLC. All Rights Reserved. All trademarks are the property of their respective holders.
27
