X
X

Find Your Specialist

X

Contact Us

Go Back

PCI Compliance in a Quarantined World

The spread of COVID-19 has introduced new challenges affecting all facets of life. How can we go about navigating PCI compliance while maintaining our distance? 

The Guidance

Businesses everywhere are learning how to adjust to a “new normal” that has been thrust upon the world by COVID-19. This new and ever-changing environment presents unique challenges in the world of compliance, where meetings and observations are required to determine whether internal controls and processes are in place and operating to effectively safeguard sensitive data. Luckily, the PCI Security Standards Council has recognized the uniqueness of this situation and has issued new guidance on remote assessments that are intended to help ease the transition into a more remote world of compliance.

An assessment completed 100% remotely can introduce doubt if not approached cautiously and with a high degree of planning and client cooperation. Assessors may need to take extra measures to validate the integrity, accuracy and completeness of evidence collected remotely.

For example, an assessor should ensure the personnel being interviewed and system components examined are the same as would be expected if an assessor was physically on-site (i.e. don’t take short-cuts just to perform testing remotely). Alternative methods used to perform these observations and collect evidence remotely must also provide the same level of assurance as in-person methods would provide.

In addition to taking these extra steps to ensure accuracy of reporting, assessors are required to clearly document the reason(s) for performing observations remotely within the Report on Compliance (ROC), along with a description of how the remote testing provided a level of assurance equal to that of a physical observation.

Some requirements may not be able to be tested or observed remotely, which can result in unavoidable delays in completion. Check with the assessed entity’s acquirer or the applicable payment brand(s) (in the cases of service providers) to clarify expectations before proceeding with the assessment. Additionally, in the event that a primary QSA is unable to travel onsite due to health concerns or travel restrictions, the QSA Company is permitted to engage an approved subcontractor to perform aspects of the assessment that may require an on-site presence.

As a general rule, always reach out to the entity’s acquirer or applicable payment brands with questions regarding reporting or compliance delays resulting from the COVID-19 crisis. An assessor’s best chance of success during this unique and challenging time heavily depends on open communication with all involved parties.

Visit https://www.pcisecuritystandards.org/COVID19 to stay up to date on the latest guidance from the PCI Security Standards Council.

Authors:

Derrick Rice, Director
Process, Risk & Governance

Eric Geving, Associate
Process, Risk & Governance

 

Related Articles

Privacy Overview

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.

Necessary Always Enabled

Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.

Functionality cookies are cookies that support features of the Site, such as remembering your preferences.

These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.