Every business requires cybersecurity in order to secure valuable data, protect customers and ensure that the company complies with industry standards and regulations. Just like a car needing to pass its MOT every year, any company involved in card payment processing or one that stores, processes or transmits payment card data needs to have its security systems and controls regularly assessed against the requirements of the Payment Card Industry Data Security Standard (PCI DSS) to ensure they are in place and effective. This is even more important now as cyber criminals adjust their scam tactics to exploit everyone’s concerns about COVID-19 and increase their cyber attacks, but this has led to a big question – with lockdown still in place in many countries can those PCI DSS compliance assessments be undertaken remotely?
It is a company’s ability to maintain its security controls at all times that is vital to the protection of customer payment card data and the business. Just like a car’s MOT, a PCI DSS compliance assessment is simply a point in time to check that everythingis working properly. The compliance assessment – especially when performed by an independent PCI Qualified Security Assessor (QSA) - re-confirms for the business (and other interested parties such as their acquiring bank) that the applicable security controls are truly in place and ‘working properly’.
Ordinarily, it is expected that most aspects of a PCI DSS assessment will take place on-site at the organisation’s data centre, offices, retail stores, etc. However, with both lockdown and national and international travel restrictions continuing to hinder movement, on-site assessment may no longer be possible. This has no doubt led many businesses to believe that their QSA cannot complete their annual assessment and caused some third-party service providers to claim to their customers that they cannot yet provide their annual Attestation of Compliance due to COVID-19 preventing the performance of the on-site elements of their assessment.
But this is not the case. Just as businesses have adapted their operations to new ways of working under COVID-19 so too has the Payment Card Industry Security Standards Council (PCI SSC) updated their guidance for on-site assessments.
Adapting to a new lifestyle
The PCI SSC’s intent is for on-site compliance assessment to be the norm: that the majority of assessment testing shall be performed by the QSA at the business’ physical locations. Certain validation methods, such as first-hand observations of a process being performed or confirmation of a physical security control in place, could only be considered valid if the assessor was at the site in-person.
However, even before COVID-19, on-site assessment of some of the PCI DSS controls wasn’t always possible, practical or necessary. The PCI SSC acknowledged in 2017 that assessment of some PCI DSS requirements can be achieved remotely without an on-site visit by the QSA.They outlined some scenarios where on-site assessment may be ‘unreasonable and unnecessary’ such that remote assess could be justified - if an alternative means of validating the control and meeting the on-site testing objective is available. However, this guidance also made it clear that QSAs must be able to defend the remote performance of any testing procedure and that remote assessment activities are ‘expected to be the exception’.
In response to the current COVID-19 climate, the PCI SSC has recently updated their remote assessment guidance. Both assessors and those participating in the assessment may be put at risk of infection by meeting in person. In addition, governments have put in place country-wide travel bans on non-essential travel, encouraged quarantine and self-isolation for those most at risk and, in some cases, completely closed their country’s borders. Recognising that local conditions may entirely prevent on-site assessment in the short-term, the PCI SSC gave more detailed guidance on what is expected of Assessors. This covers the need for a documented justification for any remote testing activity and the steps to ensure the remote testing has the same rigour and provides an equivalent level of assurance that the PCI DSS controls are in place, as an on-site assessment.It is also worth noting that the Council’s guidance is relevant for all types of PCI SSC assessment where on-site testing is not currently possible and not just PCI DSS compliance assessments.
With this support from the PCI SSC, rather than postponing clients’ compliance assessments, assessors have been able to justify and perform remote assessments, and it is turning out to be quite doable. Activities that would usually take place on-site, like physical site inspections, interviews and ‘over the shoulder’ observations (where the QSA has something demonstrated or shown to them), can all be completed remotely. On-site personnel can take the QSA on a real-time video observation of site security controls; interviews can be completed using secure web conferencing platforms – such as WebEx or Teams; administrators working from home can remotely access the systems to be tested and share their desktop so the QSA can observe their actions on the system. These all allow assessment testing procedures to be conducted as expected.
Sysnet Global Solutions, a PCI QSA Company, has successfully completed a number of remote assessments for clients whose PCI DSS assessments have been due in this period – so successfully in fact, that many of these clients may want to do it again next year to save on travel and expenses! But that can only be the casewhere a defendable justification for carrying out testing remotely still exists. The PCI Council’s default position remains that assessments should be completed on-site wherever possible.
Keeping up with quality
Sysnet’s experience has shown that successfully completing a compliance assessment through remote testing is achievable. Organisations should work with their assessor to actively explore acceptable means and methods for performing testing remotely, allowing them to validate their compliance on-time. Organisations shouldnot just assume that COVID-19 restrictions mean their assessment can’t take place; with the updated Council guidance there is no excuse not to try to support completion of their annual assessment.
However, that doesn’t mean that remote testing is without its own problems or is always possible. For example, the assessed entity’s staff may also be prohibited from visiting a site to support the assessor’s remote video observation. Or there may not be a suitable remote testing method available - the assessor is not permitted to ask the organisation to breach a PCI DSS requirement or disable or circumvent security controls to enable remote testing.
The QSA also needs to take steps to ensure the integrity of the remote assessment, this may mean the assessor needs to perform more work to ensure the results are valid and / or the assessed entity needs to provide additional evidence to the assessor. For example, the QSA must be able to confirm that the systems presented for testing are the ones selected by them and are the same ones that would have been examined on-site.
All activities and the measures taken to ensure accurate remote testing results that are equivalent to what would have been expected from an on-site assessment must be recorded by the QSA in the assessed entity’s Report on Compliance.
Even then, for some organisations it may simply not be possible to accommodate remote testing of some PCI DSS controls. For example, an isolated data centre where no site visits are currently permitted or one where cameras are prohibited. If that is the case, the QSA will need to report the affected PCI DSS requirements as ‘Not Tested’ and thus the organisation cannot be validated as compliant. The PCI SSC is quite clear that an assessor cannot indicate full PCI DSS compliance if any applicable requirements were excluded from testing; ‘Not Tested’ is not an affirmative answer as required to indicate compliance in Part 3 of the Attestation of Compliance. Organisations impacted by this - where one or more requirement cannot be tested either on-site or remotely – are recommended to engage with their acquiring bank (if a merchant organisation) or the payment brands (if a service provider) to discuss options. Assessments for programs and solutions listed on the PCI SSC website – for example, PCI Point-to-Point Encryption (P2PE) Solutions – that include any “not tested” requirements will not be accepted by the Council.
No longer a last resort
So far, the QSAs at Sysnet have not encountered issues where they have been unable to arrange a suitable remote assessment method. In some cases, scheduling remote assessment video calls has actually been easier than trying to coordinate with multiple people for an on-site assessment. In our experience, remote assessment is perfectly feasible and often easier to accommodate but may require additional time and effort to have the same rigour as the equivalent on-site testing.
Once lockdown is lifted, it is not expected that the PCI SSC will change their position that assessments should be conducted on-site wherever possible. However, the Council’s public statements clarifying when and how remote testing can be justified, and both assessors’ and assessed entities’ recent practical experience of remote assessment, have raised awareness and understanding that remote testing is a viable alternative to face-to-face assessments.