PCI DSS and Remote Assessments

  • James Devoy, CSO & EVP Cyber Risk Division at Sysnet Global Solutions

  • 31.03.2020 09:30 am
  • COVID-19

COVID-19 is obviously changing many aspects of daily life. Some will be short term measures to see us all through these times, although I wonder how many will become more permanent fixtures in our lives.

The PCI SSC has provided guidance to allow QSA companies to carry out remote assessments. This advice and understanding of the SSC will go a long way to alleviate fears. Our company services a large Service Provider client base, these clients were especially worried that they would have their card brand listings removed if they could not achieve compliance through travel bans and staff isolation.

The PCI DSS has never actually banned remote assessments, they could always be used if the QSA and the QSA Company could defend and stand over their decision to use this methodology. We ourselves have used remote assessment when a client has a branch or outlet in a high-risk country.

In a modern IT environment, we rarely these days actually ‘touch the tin’ meaning that the actual hardware is often deep in a data centre, or more commonly these days are virtual machines running on a cloud service provider, such as Azure, AWS or VMC. We assess these by our client logging in remotely to these devices and allowing us to view their configuration and rule sets. So, when does physical assessment become a remote assessment? What is the difference between the two scenarios below?

  1. When on-site we sit in a room and conduct an observational interview with an IT technician who logs onto the corporate firewall or a server via a remote desktop session. We validate that the device is the true device by using network commands, or similar, to verify it’s not a dummy machine configured to pass an assessment.
  2. The QSA initiates, from our office (or their home) a remote session to the clients’ IT Technician, using for example GoToMeeting or Microsoft Teams. The Technician then shares their desktop and then using their remote desktop logs onto the firewall or server. We use the same techniques as we would on-site to validate the devices identity.

The only technical difference is that we have an extra ‘hop’ in our remote viewing session. 

One major aspect of the interview during an assessment is to look into the eyes and observe the demeanour of the person being interviewed. An experienced assessor will have a feeling that all is well, and the interviewee is being honest. This of course can be missing from a remote assessment.

Remember in a PCI DSS assessment the assessor is working on a ‘Trust but Verify’ mindset. The client is duty and honour bound to be truthful to the assessor. If a client was breached and it was found that they used any kind of subterfuge with the assessor, then they would need to accept the consequences.

Remote Assessment is a perfectly adequate methodology to undertake an assessment. The QSA and the client should work together in an honest and transparent way to achieve their common goal. This Coronavirus virus will teach us all new ways of working, the remote assessment may even become a DeFacto way to undertake assessments even after the virus has passed. It has so many economical physiological and environmental benefits. It cuts the cost of assessments by not having travel and hotel expenses, it cuts travel and thus the carbon impact, and it reduces the time that assessors have to travel giving them a better work/life balance. Good news for all, only time will tell!


Related Blogs

Other Blogs