PCI DSS

Guidance for PCI Assessments During COVID-19

One of the challenges of information security and compliance is dealing with evolving requirements. The current pandemic with Covid-19 has further added complexity to how we operate and maintain secure payment systems. Not only do we have technical and administrative controls to manage and maintain but we also must address public health and safety concerns and adhere to legal requirements by state, federal, provincial or local mandates.

SecureTrust has provided guidance on our operations and validating compliance in regards to Covid-19 here.

The PCI Security Standards Council has also implemented a blog and additional resources for assessed entities and organizations in the payment ecosystem.

SecureTrust is committed to helping your organization achieve, maintain and validate your PCI compliance.

A third-party validation is still possible under the guidelines from the PCI SSC regarding remote validation assessments. As a rule the validation assessment must include an on-site visit, or multiple visits, to provide assurance that controls are in-place.

With Covid-19 that is a bit more complicated but achievable! The PCI SSC has provided provisions to perform testing activities remotely, specifically due to Covid-19. Parsing the SSC guidance:

“When performing a remote assessment, assessors must ensure that any validation they perform remotely provides the necessary level of assurance that the controls are properly implemented and requirements are met before they sign off that a requirement is “in place” and complete a report on compliance.“

https://blog.pcisecuritystandards.org/remote-assessments-and-the-coronavirus

The essence is that the methods used for remote testing of controls must give the same level of assurance as if the assessor was performing the assessment on-site. The integrity of the assessment must be the same as if a physical visit was performed. There may be multiple methods to perform the testing and provide that level of assurance.

The assessed entity must provide evidence with the above consideration in mind. There may be multiple methods to gather the evidence for your assessment that meet the same level of efficacy as an on-site visit. It is encouraged to demonstrate a date/timestamp for any evidence to ensure that it was collected during the assessment period.

1. Video evidence of the control that is legible, reproduceable and defensible
2. Photographic evidence of the control that is legible, reproduceable and defensible
3. System generated output that demonstrates the control is in-place, such as the output of scripts or utilities. This should also include clear evidence of which system was covered. The tool that was used must also be documented to provide assurance to the assessor.
4. Screenshots of applicable configurations, system settings, contents of files, etc. that also clearly identify the system that was covered by the screenshot
5. Assessor observations of Remote Desktop, or similar tools, by which they can clearly observe the control for each applicable system
6. Utilizing a webcam or mobile phone camera to observe physical security controls that are in-place. This could also be done via video or photographs

There are other options available for an assessed entity to provide repeatable, reproduceable evidence for their assessor. Our recommendation is to communicate with your assessor about what methods are acceptable for remote validation for each type of control.

The PCI SSC may announce additional guidance for remote assessments.

It’s of paramount importance to have these conversations with your assessor as early as possible. Gathering remote evidence prior to speaking to your assessor may result in duplication of effort gathering evidence multiple times.

There are many different possible assessment scenarios that you and your assessor will need to review as part of your remote assessment.

1. Cloud-based environments
2. Co-located environments
3. Corporate datacenters and Corporate offices
4. Physical brick-and-mortar retail locations
5. A hybrid of the above or other configurations

Review each of these types of environments with your assessor so that all evidence gathering activities and observations are clearly defined, documented, agreed upon, and determined to provide the assurance necessary and are both repeatable and reproduceable.

A successful remote assessment is possible under the necessary precautions with the prevalence of Covid-19.

With that in mind, it is also possible that your organization may be unable to perform your assessment before your compliance date. Please speak with your acquirer and/or the card brands to extend your compliance date as early as possible. Coordinate with your third parties to keep them aware that your compliance documentation may be delayed due to complications of Covid-19.

If you have any questions or are not sure on how you need to proceed, please contact your SecureTrust consultant. If you don’t have one, and need to make a determination on how to proceed with your compliance, please contact our Sales department by clicking here and they can coordinate a call with one of our Managing Consultants.

_______________

SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.

Complete this form to speak with a SecureTrust representative and learn how we can help your business achieve and maintain compliance as threats to data and privacy evolve.

_______________

Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.

Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.