Today, the Council has published “PCI SSC Remote Assessment Guidelines and Procedures”. These Guidelines define the principles and procedures for the appropriate use of remote assessments for PCI SSC standards when an onsite assessment is not possible. Here we interview Emma Sutcliffe, SVP Standards Officer on how the industry can use these guidelines to support secure remote assessment practices.
Why is PCI SSC publishing guidelines for remote assessments?
Emma Sutcliffe: PCI SSC has received several questions about the role of remote assessments when an onsite assessment cannot be performed, primarily due to the challenges caused by the global pandemic. To support our stakeholders through these challenges, the Council previously produced guidance on remote assessments through our Blog and stakeholder webinars and forums. The newly published Remote Assessment Guidelines and Procedures continue to address the evolving needs of the payments industry by providing a more formal and detailed approach for the use of remote assessments.
Can you provide a high-level overview of what is included in “PCI SSC Remote Assessment Guidelines and Procedures”?
Emma Sutcliffe: At a high level, the document defines procedures and guidelines to support the appropriate use of remote assessments. At a more detailed level, the document includes:
- An overarching set of principles and procedures governing how remote assessment activities may be used in assessments to a PCI SSC standard.
- Detailed guidelines and best practices on the use of remote testing methods for different types of testing activities.
- Requirements and expectations for PCI SSC assessors regarding the use of remote assessment activities.
- A template for documenting the use of remote assessment activities for PCI SSC Reports on Compliance (ROC) and Reports on Validation (ROV).
Who is the intended audience for the guidelines?
Emma Sutcliffe: The guidelines are intended for entities and assessors that are preparing for an assessment to a PCI SSC standard, where it is not feasible for the assessment to be performed onsite and where remote assessments are allowed by the applicable compliance-accepting entity or PCI SSC validation program.
What are some best practices when performing a remote assessment?
Emma Sutcliffe: Detailed planning and preparation are critical for the success of a remote assessment. There is sometimes a misconception that the remote assessment will be easier, quicker, or require less effort than an onsite assessment. In actuality, remote assessments will often require more preparation and planning and could take more time to complete than an onsite assessment.
Communication and consultation between the assessor and entity is also critically important. Open and frequent communications should take place throughout the planning stage and for the entire duration of the assessment.
During the assessment, assessors and entities should continually monitor and evaluate the effectiveness of the remote testing methods to confirm whether the testing methods are performing as intended and whether additional testing may be needed.
As well as the procedural considerations, the document includes guidelines and best practices for the proper use of remote testing methods for different testing activities, including documentation reviews, interviews, examination of systems and data, observation of processes and physical environments, and interactive testing. For each type of testing activity, the document explores:
- The potential challenges and considerations associated with performing the testing activity using remote methods, including factors that could affect evidence reliability and level of assurance
- Examples of additional testing activities to help mitigate any reliability and assurance gaps
- Potential scenarios where remote testing might not be feasible
- Best practices for the effective use of the remote testing methods
Are there any scenarios where a remote assessment is not appropriate?
Emma Sutcliffe: Remote assessments should be undertaken only after a thorough feasibility analysis. Because an onsite assessment can often provide greater insights and security assurance than a remote assessment, the use of fully remote assessments should be considered only when there are clear and unavoidable barriers that prevent an onsite assessment from taking place. Where such barriers do not exist, assessors are expected to perform onsite assessments as defined in the applicable standard and program.
Remote assessment activities must not reduce or negatively impact the security of the environment being assessed. Where a remote assessment would require a breach of the entity’s security rules, an onsite assessment will be required. Additionally, remote assessment activities must not require violation of a PCI standard security requirement in order to assess an environment to that standard.
There are also scenarios where full testing or verification of evidence can only occur onsite at the entity’s location—for example, where the data or evidence to be reviewed contains confidential or proprietary information that is not permitted to leave the entity’s premises.
Can the remote assessment guidelines be used beyond the COVID-19 pandemic?
Emma Sutcliffe: Yes, the guidelines are intended to support the appropriate use of remote assessments beyond the current pandemic. The document includes examples of legitimate scenarios where completion of an onsite assessment is not feasible and defines how remote assessments may be leveraged to support such scenarios .
Which PCI SSC standards allow remote assessments?
Emma Sutcliffe: For standards associated with a PCI SSC validation program (that is, where the assessment is associated with a listing on the PCI SSC website), the use of remote assessment methods is supported within the parameters defined in the PCI SSC Remote Assessment Guidelines and Procedures document.
For standards associated or a payment brand compliance program, the assessed entity should consult with the compliance-accepting entity prior to scheduling and conducting the assessment to confirm any requirements they may have regarding the use of remote assessments.
Further details about the applicability of the Remote Assessment Guidelines and Procedures to PCI SSC standards are included within the document.
Is there anything that an assessed entity should know about these guidelines or remote assessment in general?
Emma Sutcliffe: Remote assessments are not a ‘short cut’ or ‘light’ assessment. Assessors are required to apply the same rigor and integrity to remote assessments as onsite assessments. As with any assessment, a full and thorough assessment must be completed before the assessor can document an assessment result.
Finally, it’s important to note that remote assessments are not always feasible and there will be scenarios where onsite testing is required in order for the assessment to be completed.
Are there any other PCI SSC resources that stakeholders should consider when considering remote assessments?
Emma Sutcliffe: Yes, the Council has been committed to providing guidance on this issue throughout the pandemic. Below are some of those resources:
- PCI Perspectives Blog: Remote Assessments and the Coronavirus
- PCI Perspectives Blog: Additional Remote Assessment Considerations During COVID-19
- FAQ 1455: Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?