By James Devoy
Sysnet Global Solutions
COVID-19 is changing many aspects of daily life. Some will be short-term measures to see us all through the pandemic, although I wonder how many will become permanent fixtures. The PCI Security Standards Council provided guidance to allow Qualified Security Assessor (QSA) companies to carry out remote assessments. This will go a long way to alleviate fears, because service providers have worried that their card brand listings would be removed if they could not achieve compliance due to travel bans and staff isolation.
The Payment Card Industry Data Security Standard never banned remote assessments; they could always be used if the parties to the assessment could defend and stand over their decision to use this methodology. Sysnet has, for example, used remote assessment for clients with locations in high-risk countries. In a modern IT environment, the hardware is often deep in a data centre or, more commonly, consists of virtual machines running on a cloud service provider. A client can log in remotely and allow the QSA to view their configuration and rule sets. So, when does physical assessment become a remote assessment? What differentiates the scenarios below?
The only technical difference is that an extra "hop" exists in a remote viewing session.
One major aspect of the interview during an assessment is to look into the eyes and observe the demeanor of the interviewee. An experienced assessor will sense that all is well and the interviewee is being honest. This can be missing from a remote assessment.
However, remote assessment is a perfectly adequate methodology. In a PCI DSS assessment the client is duty-bound to be truthful, and the QSA adopts a "trust but verify" mindset. Ideally, both parties work together in an honest, transparent way to achieve their common goal. If a client becomes breached and they are found to have used subterfuge during an assessment, they will bear the consequences.
The coronavirus virus is teaching us new ways of working; the remote assessment may become a de facto way to undertake assessments even after the virus has passed. This has multiple benefits. It cuts assessment costs by eliminating travel and hotel expenses, cuts the carbon impact of travel, and reduces QSA travel time, giving them better work/life balance. Good news for all. Only time will tell.
James Devoy is chief security officer and executive vice president, cyber risk division at Sysnet Global Solutions. Contact him at firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next