The Impact of COVID-19 for PCI-DSS Assessments

Traditionally, the PCI Security Standards Council has always required that assessors go on-site to perform a PCI-DSS assessment. It makes this clear through much of its guidance, which calls for a QSA to be onsite for the duration of the assessment as required; even more recent documents call for Schedule onsite interviews or having the on-site assessment and participate in QSA on-site interviews.

Today’s Climate

In light of the current COVID-19 pandemic and current travel restrictions, the PCI Security Standards Council has lightened the on-site restrictions to be something a bit more pragmatic:

PCI SSC recognizes there may be exceptional circumstances that temporarily prevent an assessor from being able to travel to an onsite location to conduct an assessment, such as travel advisories or restrictions relating to coronavirus. In the event an onsite assessment is not currently possible due to such circumstances, assessors should follow the guidance in this blog. iii

When performing a remote assessment, assessors must ensure that any validation they perform remotely provides the necessary level of assurance that the controls are properly implemented and requirements are met before they sign off that a requirement is “in place” and complete a report on compliance. 

Within the same publication, the council clarifies that while an exception may be in place for the actual on-site work, that integrity of the work as well as the reporting and the QSA work papers must not be negatively affected in any way from the lack of a physical visit:

Assessors must take all necessary steps to ensure that the integrity of the assessment isn’t negatively affected by remote testing – for example, when testing remotely, special precautions may be necessary to ensure that the personnel being interviewed and system components being examined are the same as if the assessor was onsite. The methods used for observing implementations and collecting evidence must also provide at least the same level of assurance as for an onsite assessment.

Assessors must also clearly document within the Report on Compliance why onsite testing wasn’t performed and how the remote testing provided an equivalent level of assurance. All relevant evidence must be retained as part of the workpapers for the assessment, in case of audit or other request.

So, the obvious question is, how does a QSA perform a remote assessment while maintaining the same integrity and quality as a traditional onsite assessment?

PCI DSS Observation Requirements

There are many PCI DSS requirements. These fit into the Examine Documentation, Interview Personnel, and lastly Observe categories.

Obviously, performing the observation requirements duly noted in the PCI DSS standard may be most affected by not being physically on-site at a client site during an assessment. The current PCI-DSS 3.2.1 standard has approximately 71 requirements where the terms OBSERVE or OBSERVATION are stated explicitly in the testing requirement, such as:

‘8.3.1.b Observe a sample of administrator personnel login to the CDE and verify that at least two of the three authentication methods are used or ‘10.3 Through interviews and observation of audit logs, for each auditable event (from 10.2), perform the following:

For requirements where Observe/Observation is not explicitly called for, some requirements would just be difficult to verify without a direct observation, such as:

9.1.3 Verify that physical access to wireless access points, gateways, handheld devices,

networking/communications hardware, and telecommunication lines is appropriately restricted.

As clients have restrictive policies many times inside data centers and computer rooms with regards to photography and video, these requirements present challenges to the QSA to gain the appropriate level of comfort for marking a requirement as In-Place.

So, to go back to the earlier question in how should a QSA perform a remote assessment while maintaining the same integrity and quality as an onsite assessment. the key here is to ensure your PCI QSA Company has put into place assurance and remote processes to ensure that these Observe/Observation requirements above are especially addressed in the remote work that is performed. If you are an Internal Security Assessor (ISA) doing this for a company internally, this is equally important.

It is also important that the QSA company’s processes and procedures have been established for all internal staff while performing remote assessments, and that the suitable technologies are used to provide the required level of assurance as mandated by the PCI SSC. Facilities the QSAC could use to facilitate the remote assessment might include:

• Video conferencing such as WebEx, MS Teams, or BlueJeans to personally observe screen evidence file configurations, staff logins, etc.
• Live recording features for virtual site walkthroughs through FaceTime, MS Teams, etc. for data center, retail, and call center reviews
• A secure evidence portal to facilitate video uploads, screen shots of configs and login screens, etc.
• Use of MD5 and other hash algorithms to ensure the integrity of any evidence file uploads

For situations where an absolute in-person visit is required because of lockdown data center requirements, etc. it is helpful that the QSAC has a geographically dispersed staff where the QSAC may leverage for site visits such as these.

Getting Help and References

It is important to work with a QSAC that has experience in doing remote assessments and has technologies in place to solicit remote evidence review. PSC, an NCC Group company, has developed a proprietary evidence portal for loading remote evidence of controls in place. We have procedures in place for all QSAs in order to document remote evidence and workpapers and the associated technologies required. We also have QSA staff from coast to coast within the continental U.S. for those situations that must require a local presence.

Reach out on +1.408-228-0961 to learn more about our cost-effective solutions in place for traditional and remote assessments.