The COVID-19 crisis has presented a variety of challenges to merchants and service providers around the world. We’ve received many questions about the impact of COVID-19 on PCI DSS audits, as well as PCI compliance in general. Below are some answers to the most commonly asked questions from businesses that need to perform a remote PCI DSS Audit:
Do I still need to be PCI DSS compliant during the COVID-19 outbreak?
Yes. All merchants and service providers are still required to maintain compliance with all requirements of the PCI DSS.
The date for my PCI DSS assessment is approaching. How can I do an onsite PCI DSS assessment with COVID-19 travel restrictions and social distancing requirements that are currently in place?
The PCI Security Standards Council (SSC) is aware that current circumstances limit travel and group gatherings throughout the world. In instances where travel restrictions and/or gathering limitations do not allow for a normal onsite assessment to be performed, the PCI SSC is temporarily allowing remote assessments to be performed if possible.
It is important to note that the PCI Council expects this possibility to be temporary. As travel restrictions are lifted and gathering is once again possible, onsite visits will again resume for all PCI DSS assessments.
Can I do a remote PCI DSS audit for any location?
No. Some environments may have controls that cannot be verified remotely. In addition, onsite assessments should still be performed wherever possible. Work with your assessor to determine if a PCI DSS assessment is a necessary possibility for your environment.
How is a remote PCI DSS assessment performed?
Your assessor will work with you to find a method of evidence collection and review for your environment, if possible. For example, in-person interviews may be replaced with video chat sessions. Physical walkthroughs of CDE locations may be replaced with video footage of unaccompanied walkthroughs. In addition, system configuration files, screenshots, and even shared desktops on recorded video chat sessions may be used to verify compliance of system components and configurations.
How many PCI DSS requirements will need to be assessed?
All of them. The PCI SSC has expressed that all applicable PCI DSS requirements still need to be reviewed for compliance by the assessor. Because the results of remote assessments must be commensurate with the results of a normal onsite assessment, the time required to collect evidence may be longer than what would normally be expected for an onsite assessment.
My assessment is in 5 months. Will it still be possible to do a remote assessment?
We don’t know yet. As travel restrictions are lifted and normal gathering is allowed, onsite assessments will gradually become possible again. It is expected by the PCI SSC that onsite assessments will be performed wherever possible. As such, it is recommended that you prepare for an onsite assessment unless your assessor tells you otherwise. As your assessment date approaches, your auditor may work with you to make arrangements for a remote assessment if necessary.
My compliance report is due before it will be possible to complete an assessment. What should I do?
Speak with your compliance-accepting entity regarding the timeframe of your report. Some acquirers and/or payment brands may grant an extension or allow partial reports based on extenuating circumstances.
Christopher Skarda (CISSP, QSA, CCNA) is a Security Analyst at SecurityMetrics and has worked in data security for thirteen years and the PCI sector for three years. He has a Bachelor of Science in Information Technology from BYU.