PCI DSS and Remote Assessments

PCI DSS and Remote Assessments

James Devoy

CSO & EVP Cyber Risk Division at Sysnet Global Solutions

Views 730

PCI DSS and Remote Assessments

31.03.2020 09:30 am

COVID-19 is obviously changing many aspects of daily life. Some will be short term measures to see us all through these times, although I wonder how many will become more permanent fixtures in our lives.

The PCI SSC has provided guidance to allow QSA companies to carry out remote assessments. This advice and understanding of the SSC will go a long way to alleviate fears. Our company services a large Service Provider client base, these clients were especially worried that they would have their card brand listings removed if they could not achieve compliance through travel bans and staff isolation.

The PCI DSS has never actually banned remote assessments, they could always be used if the QSA and the QSA Company could defend and stand over their decision to use this methodology. We ourselves have used remote assessment when a client has a branch or outlet in a high-risk country.

In a modern IT environment, we rarely these days actually ‘touch the tin’ meaning that the actual hardware is often deep in a data centre, or more commonly these days are virtual machines running on a cloud service provider, such as Azure, AWS or VMC. We assess these by our client logging in remotely to these devices and allowing us to view their configuration and rule sets. So, when does physical assessment become a remote assessment? What is the difference between the two scenarios below?

  1. When on-site we sit in a room and conduct an observational interview with an IT technician who logs onto the corporate firewall or a server via a remote desktop session. We validate that the device is the true device by using network commands, or similar, to verify it’s not a dummy machine configured to pass an assessment.
  2. The QSA initiates, from our office (or their home) a remote session to the clients’ IT Technician, using for example GoToMeeting or Microsoft Teams. The Technician then shares their desktop and then using their remote desktop logs onto the firewall or server. We use the same techniques as we would on-site to validate the devices identity.

The only technical difference is that we have an extra ‘hop’ in our remote viewing session. 

One major aspect of the interview during an assessment is to look into the eyes and observe the demeanour of the person being interviewed. An experienced assessor will have a feeling that all is well, and the interviewee is being honest. This of course can be missing from a remote assessment.

Remember in a PCI DSS assessment the assessor is working on a ‘Trust but Verify’ mindset. The client is duty and honour bound to be truthful to the assessor. If a client was breached and it was found that they used any kind of subterfuge with the assessor, then they would need to accept the consequences.

Remote Assessment is a perfectly adequate methodology to undertake an assessment. The QSA and the client should work together in an honest and transparent way to achieve their common goal. This Coronavirus virus will teach us all new ways of working, the remote assessment may even become a DeFacto way to undertake assessments even after the virus has passed. It has so many economical physiological and environmental benefits. It cuts the cost of assessments by not having travel and hotel expenses, it cuts travel and thus the carbon impact, and it reduces the time that assessors have to travel giving them a better work/life balance. Good news for all, only time will tell!


Latest blogs

Nish Kotecha Finboot and Bryan Foss, NED, Visiting Professor at Bristol Business School and member of the FRC Audit & Assurance Council

How Listed Companies Can Use Blockchain to Prevent Auditing and Reporting Malpractice and Avoid Scandal

Not too long ago, there was very little to link Wirecard, the disgraced payments platform in Aschheim, Germany, with Boohoo, the fast-fashion online retailer in Leicester, England, but both have recently been embroiled in high-profile scandals. Read more »

Leon Muis Yolt Technology Services

The Time for Financial Services to Become Truly Digital is Now

The financial services industry looks set to change dramatically over the next couple of years in response to COVID-19. The pandemic has certainly highlighted some inefficiencies and weak spots in current processes for many businesses, such as those Read more »

Granville Turner Turner Little

The Lockdown Money Revolution

Many Brits have found that lockdown has been beneficial for their money, having cut back on personal spending and managing to put away some extra cash. According to eToro, Brits with unspent discretionary income are set to accumulate £75.5bn in Read more »

Sandra Higgins Sysnet Global Solutions

Are You ‘Prescribing’ the Right Security Solution to Your Merchants?

When it comes to leading a healthy lifestyle, eating the right food, taking regular exercise, and maintaining a positive mindset are key. However, despite these best intentions and practices, you still might not get all the nutrients your body needs Read more »

Robert Flowers DivideBuy

It Doesn’t Have to Be the End – How Retailers Can Grow in Light of COVID-19

It’s no news that the retail industry has been flipped on its head by the COVID-19 pandemic. Due to the lockdown, most in-store operations have been shut down, and nationwide furloughs, reduced pay and steady streams of income at risk have fuelled a Read more »

Related Blogs

Leon Muis Yolt Technology Services

The Time for Financial Services to Become Truly Digital is Now

The financial services industry looks set to change dramatically over the next couple of years in response to COVID-19. The pandemic has certainly highlighted some inefficiencies and weak spots in current processes for many businesses, such as those Read more »

Graham Brooks Cradlepoint

Financial services firms must ‘cut the cord’ in order to weather the COVID-19 storm

This year, the financial sector’s plans have been thrown off course by a global pandemic that sent a wave of disruption rippling through the business world. The resulting national lockdowns sparked a flurried uptake of remote working tools by Read more »

Ray Brash PPS

“Repair the roof while the sun is shining” – why fintechs were COVID ready

During his 1962 State of the Union Address, John F. Kennedy declared: “The best time to repair the roof is when the sun is shining”. While the original philosophy behind the sentiment wasn’t intended for organisations, per se, it’s an apt quote when Read more »

Owen Kilbane Kofax

Post COVID-19, a “Remote First – Remote Validate” Mindset is Needed

The COVID-19 pandemic has highlighted the need for financial services companies to have a “Remote First” mind-set. When we look over the past number of weeks, consumers are interacting and doing more and more business online, using a new set of Read more »

Marcus Treacher Ripple

Supporting vulnerable communities during the COVID-19 pandemic with faster and more affordable remittance payments

There’s no denying that COVID-19 has disrupted the global economy as hundreds of millions of people around the world have had to grapple with job losses, business closures and lockdowns. Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel