Photo by Ryan Born on Unsplash

May 08, 2020 06:51 BST

The Impact of COVID-19 for PCI-DSSAssessments

Traditionally, the PCI Security Standards Council has always required thatassessors go on-site to perform a PCI-DSS assessment. It makes this clearthrough much of its guidance, which calls for a QSA to be onsite for theduration of the assessment as required; even more recent documents call forSchedule onsite interviews or having the on-site assessment and participatein QSA on-site interviews.

Today’s ClimateIn light of the current COVID-19 pandemic and current travel restrictions, the

PCI Security Standards Council has lightened the on-site restrictions to besomething a bit more pragmatic:

PCI SSC recognizes there may be exceptional circumstances that temporarilyprevent an assessor from being able to travel to an onsite location to conduct anassessment, such as travel advisories or restrictions relating to coronavirus. In theevent an onsite assessment is not currently possible due to such circumstances,assessors should follow the guidance in this blog. iii

When performing a remote assessment, assessors must ensure that anyvalidation they perform remotely provides the necessary level of assurance thatthe controls are properly implemented and requirements are met before they signoff that a requirement is “in place” and complete a report on compliance. 

Within the same publication, the council clarifies that while an exceptionmay be in place for the actual on-site work, that integrity of the work as wellas the reporting and the QSA work papers must not be negatively affected inany way from the lack of a physical visit:

Assessors must take all necessary steps to ensure that the integrity of theassessment isn’t negatively affected by remote testing – for example, whentesting remotely, special precautions may be necessary to ensure that thepersonnel being interviewed and system components being examined are thesame as if the assessor was onsite. The methods used for observingimplementations and collecting evidence must also provide at least the samelevel of assurance as for an onsite assessment.

Assessors must also clearly document within the Report on Compliance whyonsite testing wasn’t performed and how the remote testing provided anequivalent level of assurance. All relevant evidence must be retained as part ofthe workpapers for the assessment, in case of audit or other request.

So, the obvious question is, how does a QSA perform a remote assessmentwhile maintaining the same integrity and quality as a traditional onsiteassessment?

PCI DSS Observation RequirementsThere are many PCI DSS requirements. These fit into the ExamineDocumentation, Interview Personnel, and lastly Observe categories.

Obviously, performing the observation requirements duly noted in the PCIDSS standard may be most affected by not being physically on-site at a clientsite during an assessment. The current PCI-DSS 3.2.1 standard hasapproximately 71 requirements where the terms OBSERVE orOBSERVATION are stated explicitly in the testing requirement, such as:

‘8.3.1.b Observe a sample of administrator personnel login to the CDE and verifythat at least two of the three authentication methods are used or ‘10.3 Throughinterviews and observation of audit logs, for each auditable event (from 10.2),perform the following:

For requirements where Observe/Observation is not explicitly called for,some requirements would just be difficult to verify without a directobservation, such as:

9.1.3 Verify that physical access to wireless access points, gateways, handhelddevices,

networking/communications hardware, and telecommunication lines isappropriately restricted.

As clients have restrictive policies many times inside data centers andcomputer rooms with regards to photography and video, these requirementspresent challenges to the QSA to gain the appropriate level of comfort formarking a requirement as In-Place.

So, to go back to the earlier question in how should a QSA perform a remoteassessment while maintaining the same integrity and quality as an onsiteassessment. the key here is to ensure your PCI QSA Company has put intoplace assurance and remote processes to ensure that theseObserve/Observation requirements above are especially addressed in theremote work that is performed. If you are an Internal Security Assessor (ISA)doing this for a company internally, this is equally important.

It is also important that the QSA company’s processes and procedures havebeen established for all internal staff while performing remote assessments,and that the suitable technologies are used to provide the required level ofassurance as mandated by the PCI SSC. Facilities the QSAC could use tofacilitate the remote assessment might include:

• Video conferencing such as WebEx, MS Teams, or BlueJeans topersonally observe screen evidence file configurations, stafflogins, etc.

• Live recording features for virtual site walkthroughs throughFaceTime, MS Teams, etc. for data center, retail, and call centerreviews

• A secure evidence portal to facilitate video uploads, screen shotsof configs and login screens, etc.

• Use of MD5 and other hash algorithms to ensure the integrity ofany evidence file uploads

For situations where an absolute in-person visit is required because oflockdown data center requirements, etc. it is helpful that the QSAC has ageographically dispersed staff where the QSAC may leverage for site visitssuch as these.

Getting Help and ReferencesIt is important to work with a QSAC that has experience in doing remoteassessments and has technologies in place to solicit remote evidencereview. PSC, an NCC Group company, has developed a proprietary evidenceportal for loading remote evidence of controls in place. We have proceduresin place for all QSAs in order to document remote evidence and workpapersand the associated technologies required. We also have QSA staff from coastto coast within the continental U.S. for those situations that must require alocal presence.

Reach out on +1.408-228-0961 to learn more about our cost-effectivesolutions in place for traditional and remote assessments.

About NCC GroupNCC Group exists to make the world safer and more secure.

As global experts in cyber security and risk mitigation, NCC Group is trustedby over 14,000 customers to protect their most critical assets from the ever-changing threat landscape.

With the company's knowledge, experience, and investment in research andinnovation, it is best placed to help organisations assess, develop and

manage their cyber resilience posture.

With circa 2,000 colleagues in 12 countries, NCC Group has a significantmarket presence in North America, Europe and the UK, and a rapidly growingfootprint in Asia Pacific with offices in Australia, Japan and Singapore.

Contacts

Regional Press Office - North AmericaPress ContactNCCGroup@cdc.agency+1 408 776 1400+1 408 893 8750