The Green Sheet Online Edition

April 13, 2020 • Issue 20:04:01

Do accurate assessments during pandemic - remotely

By James Devoy
Sysnet Global Solutions

COVID-19 is changing many aspects of daily life. Some will be short-term measures to see us all through the pandemic, although I wonder how many will become permanent fixtures. The PCI Security Standards Council provided guidance to allow Qualified Security Assessor (QSA) companies to carry out remote assessments. This will go a long way to alleviate fears, because service providers have worried that their card brand listings would be removed if they could not achieve compliance due to travel bans and staff isolation.

Good news

The Payment Card Industry Data Security Standard never banned remote assessments; they could always be used if the parties to the assessment could defend and stand over their decision to use this methodology. Sysnet has, for example, used remote assessment for clients with locations in high-risk countries. In a modern IT environment, the hardware is often deep in a data centre or, more commonly, consists of virtual machines running on a cloud service provider. A client can log in remotely and allow the QSA to view their configuration and rule sets. So, when does physical assessment become a remote assessment? What differentiates the scenarios below?

1. When on-site the QSA conducts an in-person observational interview with an IT technician who logs onto the corporate firewall or a server via a remote desktop session. The QSA validates that the device is the true device by using network commands, or similar, to verify it's not a dummy machine configured to pass an assessment.
2. The QSA initiates, from the QSA company's office (or home office) a remote session to the client's IT technician, using for example GoToMeeting or Microsoft Teams. The technician then shares their desktop and, using their remote desktop, logs onto the firewall or server. Techniques used to validate device identity are the same as used onsite.

The only technical difference is that an extra "hop" exists in a remote viewing session. 

Multiple benefits

One major aspect of the interview during an assessment is to look into the eyes and observe the demeanor of the interviewee. An experienced assessor will sense that all is well and the interviewee is being honest. This can be missing from a remote assessment.

However, remote assessment is a perfectly adequate methodology. In a PCI DSS assessment the client is duty-bound to be truthful, and the QSA adopts a "trust but verify" mindset. Ideally, both parties work together in an honest, transparent way to achieve their common goal. If a client becomes breached and they are found to have used subterfuge during an assessment, they will bear the consequences.

The coronavirus virus is teaching us new ways of working; the remote assessment may become a de facto way to undertake assessments even after the virus has passed. This has multiple benefits. It cuts assessment costs by eliminating travel and hotel expenses, cuts the carbon impact of travel, and reduces QSA travel time, giving them better work/life balance. Good news for all. Only time will tell.

James Devoy is chief security officer and executive vice president, cyber risk division at Sysnet Global Solutions. Contact him at info@sysnetgs.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.