The spread of COVID-19 has introduced new challenges affecting all facets of life. How can we go about navigating PCI compliance while maintaining our distance?
The Guidance
Businesses everywhere are learning how to adjust to a “new normal” that has been thrust upon the world by COVID-19. This new and ever-changing environment presents unique challenges in the world of compliance, where meetings and observations are required to determine whether internal controls and processes are in place and operating to effectively safeguard sensitive data. Luckily, the PCI Security Standards Council has recognized the uniqueness of this situation and has issued new guidance on remote assessments that are intended to help ease the transition into a more remote world of compliance.
An assessment completed 100% remotely can introduce doubt if not approached cautiously and with a high degree of planning and client cooperation. Assessors may need to take extra measures to validate the integrity, accuracy and completeness of evidence collected remotely.
For example, an assessor should ensure the personnel being interviewed and system components examined are the same as would be expected if an assessor was physically on-site (i.e. don’t take short-cuts just to perform testing remotely). Alternative methods used to perform these observations and collect evidence remotely must also provide the same level of assurance as in-person methods would provide.
In addition to taking these extra steps to ensure accuracy of reporting, assessors are required to clearly document the reason(s) for performing observations remotely within the Report on Compliance (ROC), along with a description of how the remote testing provided a level of assurance equal to that of a physical observation.
Some requirements may not be able to be tested or observed remotely, which can result in unavoidable delays in completion. Check with the assessed entity’s acquirer or the applicable payment brand(s) (in the cases of service providers) to clarify expectations before proceeding with the assessment. Additionally, in the event that a primary QSA is unable to travel onsite due to health concerns or travel restrictions, the QSA Company is permitted to engage an approved subcontractor to perform aspects of the assessment that may require an on-site presence.
As a general rule, always reach out to the entity’s acquirer or applicable payment brands with questions regarding reporting or compliance delays resulting from the COVID-19 crisis. An assessor’s best chance of success during this unique and challenging time heavily depends on open communication with all involved parties.
Visit https://www.pcisecuritystandards.org/COVID19 to stay up to date on the latest guidance from the PCI Security Standards Council.
Authors:
Derrick Rice, Director
Process, Risk & Governance
Eric Geving, Associate
Process, Risk & Governance