Troy Leach, Senior Vice President, Engagement Officer, PCI SSC, discusses guidance for performing assessments in light of the recent coronavirus outbreak.
The PCI SSC has received many questions about the issue of remote assessments given the unfolding global situation involving the spread of the coronavirus and international efforts to contain it. On this blog we provide guidance to the assessor community on remote assessments.
PCI SSC recognizes that the unusual circumstances associated with the coronavirus are not limited to congregation of large groups for meetings and conferences, but may also impact other activities that typically require in-country or global travel, such as PCI assessments against the PCI DSS, Card Production, P2PE, and PIN standards. While onsite assessments are always expected, in this unique circumstance, individual health and safety must be considered when making decisions regarding onsite assessments.
Does an assessor need to be onsite?
PCI SSC recognizes there may be exceptional circumstances that temporarily prevent an assessor from being able to travel to an onsite location to conduct an assessment, such as travel advisories or restrictions relating to coronavirus. In the event an onsite assessment is not currently possible due to such circumstances, assessors should follow the guidance in this blog.
When performing a remote assessment, assessors must ensure that any validation they perform remotely provides the necessary level of assurance that the controls are properly implemented and requirements are met before they sign off that a requirement is “in place” and complete a report on compliance.
Maintaining the Integrity of the Assessment
Assessors must take all necessary steps to ensure that the integrity of the assessment isn’t negatively affected by remote testing – for example, when testing remotely, special precautions may be necessary to ensure that the personnel being interviewed and system components being examined are the same as if the assessor was onsite. The methods used for observing implementations and collecting evidence must also provide at least the same level of assurance as for an onsite assessment.
Assessors must also clearly document within the Report on Compliance why onsite testing wasn’t performed and how the remote testing provided an equivalent level of assurance. All relevant evidence must be retained as part of the workpapers for the assessment, in case of audit or other request.
Additionally, assessor companies may also consider engaging qualified local assessor resources to assist. For example, for a PCI DSS assessment, if the primary QSA is unable to travel to the onsite location due to health concerns, they may engage an approved subcontractor to perform onsite aspects of the assessment in accordance with the QSA program requirements.
All measures should be taken to ensure the results of a remote assessment are commensurate with those resulting from an onsite assessment; it may therefore take longer to conduct the assessment remotely. Additionally, certain types of tests can only be done in-person and completion delays may be unavoidable.
All questions about how completion of an assessment may impact compliance should be addressed to the entity’s acquirer or the applicable payment brands.
General guidance for QSAs around onsite and remote assessments is also provided in FAQ 1455 which can be found here.
For more information and updates of how the coronavirus may impact PCI events, requirements or other activity, please visit our dedicated webpage. The PCI Perspectives blog will be updated with the latest information. Subscribe to the blog to receive instant email notifications.
We appreciate your understanding as we work with this evolving situation. We wish you good health and safety wherever you may be.