Find Your Specialist


Contact Us

    Go Back

    PCI Compliance in a Quarantined World

    The spread of COVID-19 has introduced new challenges affecting all facets of life. How can we go about navigating PCI compliance while maintaining our distance? 

    The Guidance

    Businesses everywhere are learning how to adjust to a “new normal” that has been thrust upon the world by COVID-19. This new and ever-changing environment presents unique challenges in the world of compliance, where meetings and observations are required to determine whether internal controls and processes are in place and operating to effectively safeguard sensitive data. Luckily, the PCI Security Standards Council has recognized the uniqueness of this situation and has issued new guidance on remote assessments that are intended to help ease the transition into a more remote world of compliance.

    An assessment completed 100% remotely can introduce doubt if not approached cautiously and with a high degree of planning and client cooperation. Assessors may need to take extra measures to validate the integrity, accuracy and completeness of evidence collected remotely.

    For example, an assessor should ensure the personnel being interviewed and system components examined are the same as would be expected if an assessor was physically on-site (i.e. don’t take short-cuts just to perform testing remotely). Alternative methods used to perform these observations and collect evidence remotely must also provide the same level of assurance as in-person methods would provide.

    In addition to taking these extra steps to ensure accuracy of reporting, assessors are required to clearly document the reason(s) for performing observations remotely within the Report on Compliance (ROC), along with a description of how the remote testing provided a level of assurance equal to that of a physical observation.

    Some requirements may not be able to be tested or observed remotely, which can result in unavoidable delays in completion. Check with the assessed entity’s acquirer or the applicable payment brand(s) (in the cases of service providers) to clarify expectations before proceeding with the assessment. Additionally, in the event that a primary QSA is unable to travel onsite due to health concerns or travel restrictions, the QSA Company is permitted to engage an approved subcontractor to perform aspects of the assessment that may require an on-site presence.

    As a general rule, always reach out to the entity’s acquirer or applicable payment brands with questions regarding reporting or compliance delays resulting from the COVID-19 crisis. An assessor’s best chance of success during this unique and challenging time heavily depends on open communication with all involved parties.

    Visit https://www.pcisecuritystandards.org/COVID19 to stay up to date on the latest guidance from the PCI Security Standards Council.


    Derrick Rice, Director
    Process, Risk & Governance

    Eric Geving, Associate
    Process, Risk & Governance


    Related Articles

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled