PCI SSC recognizes that in the current exceptional circumstances relating to COVID-19, entities are asking how they can support payment security and assessment activities while also dealing with new and unfamiliar issues related to the global pandemic.
PCI SSC’s primary focus has always been to help entities maintain the security of their environments and protect payment card data. We also understand the importance of keeping business moving forward and are dedicated to supporting this aim for our stakeholders during the current unusual circumstances.
While PCI SSC does not manage compliance programs and therefore cannot comment on compliance impacts, we are working hard to provide useful guidance to help entities and assessors navigate their assessment processes during this time. One effect of the global travel advisories and restrictions currently in place is that assessors may not be able to complete onsite PCI assessments at an entity’s location. This blog post builds on the guidance provided in an earlier post, Remote Assessments and the Coronavirus, to provide additional direction for entities and assessors in these unusual circumstances.
Note: Given that countries and regions are being impacted differently and facing different types of restrictions, it is not possible for PCI SSC to provide a universal position on the viability of remote assessments across all regions. The ability to assess an environment, and to what level the assessment can be completed in accordance with existing program requirements, will need to be determined on a case-by-case basis given the current situation in each region or country.
Identifying assessment activities that could be performed remotely.
Onsite assessments should always be completed wherever possible in accordance with the applicable PCI SSC program testing requirements, procedures, and assessor agreements. Where onsite assessments have been or can be completed, assessors and entities should complete the assessment and submit their validation documentation as normal.
Where an onsite assessment is temporarily not possible, assessors and entities should work together to identify which, if any, testing activities are feasible to perform remotely. Testing activities that are more suited to remote assessment typically include the following, but will depend on the specific circumstances:
- Reviews of documentation – for example, reviews of policies and procedure documents.
- Reviews of generated evidence – for example, records of personnel acknowledgment of their security responsibilities.
- Interviews – for example, to verify that personnel understand the policies and procedures, or to describe the process that was followed to record personnel’s acknowledgment of their security responsibilities.
Considerations for remotely reviewing documentation and generated evidence include ensuring that a secure method is used for sharing and accessing the material, and that the information is reviewed only within secured systems and environments. The assessor will also need to verify the integrity of the information provided and that it represents what they would have seen had they been onsite at the entity’s location.
Considerations for remote interviews include ensuring that an effective communication method is available and interviews are scheduled at a time that is convenient to those participating. Techniques to maximize the value of the communication include the use of video wherever possible and keeping all participants visible and engaged for the duration of the interview.
Whether it is feasible to complete other types of testing remotely will depend on the particulars of the testing requirements and the environment being assessed.
At all times, assessor companies are required to have policies and procedures in place that maintain confidentiality of information gathered during the assessment process in accordance with applicable program requirements. Details of these requirements are defined in the applicable PCI SSC assessor program documentation.
Remote assessments are not always possible.
The current conditions and travel restrictions have resulted in many organizations having to significantly reduce staffing or temporarily close their facilities to employees and visitors. These organizations might not have staff available to coordinate assessment activities with a remote assessor.
Additionally, where an entity’s staff are available to support remote assessment activities, there could be security and logistical factors limiting the scope of assessment activities that can be successfully performed remotely.
When considering whether and to what extent an assessment activity could be performed remotely, the following principles should be adhered to.
- Remote assessment activities must not reduce or negatively impact the security of the environment being assessed. This includes not requiring an entity to disable or circumvent security controls in order to facilitate the remote assessment.
- Remote assessment activities must not require violation of a PCI standard security requirement in order to assess an environment to that standard. For example, if a PCI standard prohibits personal camera phones in certain areas, such devices should not be introduced into those areas for the purposes of completing a remote assessment.
- Remote assessment activities must be designed and implemented in a manner intended to avoid introducing additional risk of disruption to the entity’s operations.
- Remote assessments must be performed with the same rigor and integrity as an onsite assessment and provide an equivalent level of assurance about whether the assessed controls are properly implemented.
Testing activities that require the assessor to observe physical security controls or processes being performed are typically the most challenging to complete remotely. Being onsite and actively observing the processes in action is often the only way for an assessor to get a true picture of the environment and make an accurate determination about whether security processes are being followed.
Both the assessor and the entity being assessed should have input and agree upon decisions about the nature and feasibility of remote assessment activities, while maintaining adherence to the principles and intent of the applicable testing requirements.
Entities should contact their compliance-accepting entity—that is, payment brand or acquirer—to determine any compliance impact associated with remote assessments. Where it is not feasible for an assessment to be completed, the entity should consult with their acquirer and/or payment brand to understand their expectations regarding partial or incomplete assessments and any deferral considerations. Any waivers or extensions to compliance mandates are defined by payment brands and acquirers.
Documenting remote assessments
When documenting results of remote testing activities, the assessor should clearly identify within the applicable report (Report on Compliance or Report on Validation) which requirements and testing procedures were performed remotely. As with all assessments, the assessor’s approach must be defendable. Assessors are required to maintain evidence of testing in their work papers to support the results of testing and subsequent findings.
Where a requirement cannot be assessed onsite or remotely, the assessor should document the requirement as “not tested” in the corresponding report. [1] Questions relating to how an unvalidated requirement may affect an entity’s compliance should be discussed with the entity’s acquirer or payment brand, as normal.
Considerations for assessments that will result in or affect a listing on the PCI SSC website
Where assessments can be completed in accordance with the defined testing procedures, they should be completed and submitted to PCI SSC as normal. Please note that PCI SSC cannot accept submissions that include any “not tested” requirements.
To support situations where it is currently not possible to complete assessments in accordance with applicable PCI SSC standards or program requirements, PCI SSC is currently considering program-specific options that may provide additional flexibility. These may include offering extensions or increased grace periods for revalidation dates for solutions and product listings on the PCI SSC website. The specific listing page for each program will be updated with further information as these options become available.
Maintaining security is critical.
It is critically important that entities continue to maintain and monitor the effectiveness of their security controls during this period. This includes ensuring that all required security controls are in place and working effectively at all times. Attackers thrive in times of disruption and there have been significant increases in criminal activity during the current crisis.
PCI SSC is dedicated to helping entities remain diligent and protect themselves and their customers from compromises of payment card data. Continue to visit the COVID-19 page on our website for the latest guidance.
[1] For PCI DSS assessments, additional guidance on the use of “not tested” is provided in FAQ 1473 What is the role of acquirers and assessors in determining the applicability of PCI DSS requirements for a merchant’s PCI DSS assessment?
