By Natasja Bolton
Sysnet Global Solutions
Companies involved in card payment processing and ones that store, process or transmit payment card data must have security systems and controls regularly assessed against the requirements of the Payment Card Industry Data Security Standard (PCI DSS). This is even more important now as cyber criminals adjust their tactics and increase cyber attacks to exploit the COVID-19 pandemic.
Maintaining security controls at all times is vital to protect both businesses and customer payment card data. But with lockdown in place in many countries, can PCI DSS compliance assessments be undertaken remotely?
A PCI DSS compliance assessment is simply a point in time to check that everything is working properly. The compliance assessment — especially when performed by an independent PCI Qualified Security Assessor (QSA) — re-confirms for a business (and other interested parties such as their acquiring bank) that applicable security controls are in place and working properly.
Ordinarily, most aspects of PCI DSS assessments occur on-site at data centers, offices, retail stores, etc. However, with lockdown and national and international travel restrictions hindering movement, on-site assessment may not be possible. This has led many businesses to believe their QSA cannot complete their annual assessment and caused some third-party service providers to claim they cannot provide their customers an annual Attestation of Compliance due to COVID-19's rendering on-site elements of their assessment impossible.
This isn't the case. Just as businesses have adapted to new ways of working under COVID-19, so too has the PCI Security Standards Council (PCI SSC) updated guidance for on-site assessments.
The PCI SSC's intent is for the majority of assessment testing to be performed by QSAs at physical business locations. Certain validation methods, such as first-hand observations of a process being performed or confirmation of a physical security control in place, could typically be considered valid only if the assessor was at the site in-person.
However, even before COVID-19, on-site assessment of some PCI DSS controls wasn't always possible, practical or necessary. The PCI SSC acknowledged in 2017 that assessment of some PCI DSS requirements can be achieved remotely. The council outlined scenarios where on-site assessment may be "unreasonable and unnecessary" such that remote assess could be justified. However, this guidance also clarified that QSAs must be able to defend the remote performance of any testing procedure and that remote assessment activities are "expected to be the exception."
In response to the COVID-19 crisis, the PCI SSC updated its remote assessment guidance. Assessors and those participating in assessments may be put at risk of infection by meeting in person. In addition, governments have implemented country-wide travel bans on non-essential travel, encouraged quarantine and self-isolation for those most at risk and, in some cases, closed their country's borders.
Recognizing that local conditions may prevent on-site assessment in the short-term, the PCI SSC gave more detailed guidance on what is expected of assessors. This covers the need for a documented justification for remote testing activity and steps to ensure the remote testing has the same rigor as an on-site assessment and provides an equivalent level of assurance that PCI DSS controls are in place. The council's guidance is relevant for all types of PCI SSC assessment where on-site testing isn't possible, not just PCI DSS compliance.
With support from the PCI SSC, rather than postponing clients' compliance assessments, assessors have been able to justify and perform remote assessments. Activities that would usually take place on-site, like physical site inspections, interviews and over-the-shoulder observations (where the QSA has something demonstrated or shown to them), can be completed remotely. On-site personnel can provide QSAs real-time video observations of site security controls; interviews can be completed using secure web conferencing platforms; and administrators working from home can remotely access systems to be tested and share their desktops so QSAs can observe their actions. These allow assessment procedures to be conducted as expected.
Having succeeded with remote assessments this year, many businesses may want to do assessments remotely again next year to save on travel and expenses. But that can only be done where a defendable justification for carrying out testing remotely still exists. The PCI SSC's position remains that assessments should be completed on-site wherever possible.
With the updated council guidance there's no excuse for organizations to assume they can't complete annual assessments due to COVID-19 restrictions. Organizations should work with assessors to explore acceptable ways to perform testing remotely, allowing them to validate their compliance on time.
That doesn't mean remote testing is without problems or is always possible. For example, the assessed entity's staff may be prohibited from visiting a site to support the assessor's remote video observation. Or a suitable remote testing method may not be available — QSAs aren't permitted to ask organizations to breach a PCI DSS requirement or disable or circumvent security controls to enable remote testing.
QSAs also must ensure remote assessment integrity. Assessors may need to perform more work to ensure the results are valid; assessed entities may need to provide additional evidence to assessors. For example, the QSA must confirm the systems presented for testing are the ones they selected and are the same ones that would have been examined on-site. All measures taken to ensure accurate remote testing results that are equivalent to expected results from an on-site assessment must be recorded by the QSA in the assessed entity's Report on Compliance.
For some organizations it may be impossible to accommodate remote testing of some PCI DSS controls. For example, an isolated data centre where no site visits are permitted or one where cameras are prohibited. In that case, the QSA must report the affected PCI DSS requirements as "not tested," and the organization cannot be validated as compliant.
A QSA cannot indicate full PCI DSS compliance if any applicable requirements were excluded from testing; "not tested" is not an affirmative answer as required to indicate compliance in Part 3 of the Attestation of Compliance. Where one or more requirement cannot be tested either on-site or remotely, organizations are advised to engage with their acquiring bank or the payment brands to discuss options. Assessments for programs and solutions listed on the PCI SSC website that include any "not tested" requirements will not be accepted by the council.
In some cases, scheduling remote assessment video calls is easier than coordinating with multiple people for on-site assessments; however, it may require additional time and effort to achieve rigour comparable to that of on-site testing.
Once lockdown is lifted, the PCI SSC is not expected to change its position that on-site assessments be the norm. However, the council's public statements clarifying when and how remote testing can be justified, and both assessors' and assessed entities' recent practical experience of remote assessment, have raised awareness that remote testing is a viable alternative to face-to-face assessments.
Natasja Bolton, Strategic Partner Support Engagement Manager, Cyber Risk Services at Sysnet Global Solutions, is a PCI Qualified Security Assessor and information security professional with over 20 years' experience. In her role, Natasja engages with Sysnet's acquiring clients and their merchant customers, delivering guidance and support on payment security and the PCI standards. She is also a long-time member of the PCI SSC's Small Merchant Taskforce. She can be reached at natasja.bolton@sysnetgs.com.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
