In early 2020, the PSI SSC determined that remote PCI assessments would be allowed due to the COVID-19 Pandemic. They have released guidance on how these should be conducted and what it means for the assessors and entities being assessed.
The first question you should ask yourself is “am I required to have a PCI On-Site Assessment during normal circumstances?” If the answer to that is “Yes”, today we explore common questions related to performing these assessments during the current pandemic and what the updated guidance from PCI SSC means for you.
Are remote PCI assessments allowed?
Yes, the PCI SSC is currently allowing remote assessments! They have not provided a timeline on how long this will be allowed, but we are hopeful they will provide plenty of lead time if/when they determine it is safe to proceed with traditional on-site work.
Is the PCI SSC still requiring all controls to be validated?
Yes. All controls are still in scope. Per the guidance from the PCI SSC:
“Remote assessments must be performed with the same rigor and integrity as an onsite assessment and provide an equivalent level of assurance about whether the assessed controls are properly implemented.”
What if we are unable to validate a control remotely?
The assessor should clearly denote which controls were validated remotely. Additionally, the assessor should still be maintaining evidence in their workpapers to support their findings. If an assessor is unable to validate a control remotely, they should mark it as “not tested”, but this would prevent a compliant Report on Compliance (RoC) from being issued.
Can we just skip our assessment this year and wait until travel is allowed?
No! Nice try though.
We are about 6 months out from our audit, should we assume it will be completed remotely?
Probably not, you should be preparing like you would for any PCI assessment and work with your assessor to determine the appropriate way forward as the actual date approaches. At this point, the PCI SSC has not provided any guidance on when they will no longer allow remote assessments and we don’t have any indication of when the country will be past the current pandemic. We are recommending our clients prepare as if we will be coming on site for an assessment, as there should still be the exact same activities taking place and same security controls being maintained, and then we’re making the ultimate determination in the weeks leading up to the assessment when we lock in a schedule.
How are you confirming physical security requirements?
Videoconferencing, unaccompanied walkthroughs, recorded videos, and socially distant walkthroughs are all possibilities. You should work with your assessor directly to determine the best approach for your organization.
Have any additional questions on remote assessments? We are happy to discuss our approach and how we can assess your compliance. Please contact us to day and we would be happy to assist!