PCI DSS: Remote vs. onsite assessments - Things to consider

Following the latest events concerning the outbreak of coronavirus disease (COVID-19), the Payment Card Industry Security Standards Council (PCI SSC) and the payment card brands have issued several guidelines supporting remote versus onsite assessments, where possible.

So what are the remote PCI DSS assessment specifics that we've observed in real life so far? In this article, we'll provide tips-and-tricks and some considerations to be taken into account by both the assessors and the assessed entities.

Firstly, some evidence collection remotely is not a new thing for most QSA companies and assessed entities. So any additional remote assessment steps can be built upon that. It's not uncommon during onsite assessments to have some responsible people joining the meetings via conference call.

The main difference of onsite vs. remote assessments is that in the first scenario, the assessor is present in assessed entity's premises for a limited time, so all necessary people and resources must be available to make the most of it. In this sense, remote assessments provide more flexibility as the meetings that would typically happen in the span of a few days can now be extended into a few weeks with more breaks in between. However, it's usually more difficult for the assessed entity to arrange availability of required people and resources when everyone is working remotely.This means that the remote assessments should start far earlier than usual, taking into consideration that all required meetings will take place within a more extended period.

Onsite assessments also provide the assessor with more non-verbal information observing people's behavior while being present in the same room. It is difficult for the assessor to perform observation testing procedures remotely to see how people perform their duties.

It's essential, of course, to have screen sharing possibilities. By agreement of both the assessor and the assessed entity, the remote assessment sessions can be recorded, which makes the assessor's life a bit easier by making it possible to go back for any clarifications or even to take some screenshots afterward.

Time zone difference is another factor to take into consideration, which is typically not relevant during onsite assessments. Assessor's travel time and jet lag 'savings' can be used to have more and shorter remote sessions for better coverage of all required topics.

Last but not least, certain types of tests can only be done in-person (for instance, review of physical security controls or PCI DSS requirement 9.9 for retail merchants), and the assessment completion delays may be unavoidable. Any questions about how a delay of completion of the assessment may impact compliance should be addressed to the assessed to the entity's acquirer or relevant payment card brands.

Unfortunately, this exceptional situation is currently replacing usual PCI DSS assessment activities, slowly becoming socially and otherwise accepted. It is also now clear that more and more companies will move towards more remote working. So, the question is - will this become a new approach for the assessments going forward?