PCI DSSRemote Assessments: How to Maintain Compliance in a Crisis
Alexander Norell helps us address – Are remote assessments proving effective? What can companies do to ensure the lockdown is not impacting PCI progress?
Remote assessments are likely to be the norm for many months as the global economy starts to get back on its feet and the Payment Card Industry Security Standards Council(PCI SSC) and card brands continue to endorse the new approach.
With customers of all sizes around the world adapting to a changing trading environment, SecureTrust is seeing a split between those who are proactively sustaining their compliance requirements and those that are reactive and slowing down progress.
Whilst some businesses have had to put trading on hold, particularly in the hospitality sector, for the majority (60% plus according to our numbers) it’s business as usual and remote assessments are a very real part of the day job.
It’s the companies that are slowing down that we need to be concerned about. Whilst the PCI Council and card brands have given a waiver to validate compliance until 31st July, they expect the industry to be compliant at all times.
Remote assessments are slightly different to onsite and they might take a little longer in the short term, but they are very achievable, and we are actively submitting Reports on Compliance (ROCs). It is important to take the time to map your new processes and to have the tools to collect evidence remotely as they need to be performed with the same rigour and intensity as onsite. The use of video and collaboration platforms has been a huge help when interviewing system administrators.
- Technology is important. Cloud-based portals for evidence gathering such as Compliance Manager will enable your team to continue to do scans remotely and access data 24/7 – ensuring awareness of responsibilities and deadlines. Data is encrypted and the software saves internal resource costs.
- QSA engagement is critical. Having a solid two-way partnership with a QSA companythat understands your business, your language and culture, as well as local regulations is a big advantage. And one that can give you a global perspective of how businesses are adapting. After all, this is a global pandemic.
- Map out new business processes. Your QSA will be able to help you with this. You may now have all your staff working remotely or are moving to e-commerce. You will need to look at areas where there are potential risks and where the endpoints are now within your business.
- Stay close to the PCI Council guidance. There are likely to be further changes ahead as businesses adapt to new ways of working. https://www.pcisecuritystandards.org/covid19 is a good resource.
- Be proactive. Plan the process of evidence gathering. Ensure new technology methods such as video cameras and authentication processes are incorporated. Screensharing, webcam and mobile phone recording can also be used to record physical security controls. Consider milestones for when you plan to reopen.
With more than 90 QSAs around the world, SecureTrust is used to working remotely, and in periods of economic crises, and can offer guidance and a global perspective.
We are holding Compliance Reviews with customers of all sizes to provide an update on what companies are doing to mitigate risks in this period and to offer practical tips and guidance. Our QSAs are also offering Compliance Continuity Planning advice to non-customers who are concerned about future requirements. It is important that companies carry on meeting their PCI requirements such as doing scans and patches. We can help.
_______________________
SecureTrust, a Sysnet company, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
_______________________
Alexander Norell leads the delivery of compliance and risk services in EMEA. He is responsible for managing the teams that deliver compliance assessments, privacy engagements, information security consulting, IT governance consulting, risk assessments. Alexander also works with a number of multinational retailers, payment processors, acquirers and other service providers to help them become and maintain PCI DSS compliance.
He actively works as a P2PE PA QSA and PA-QSA and as such he performs application security assessment on applications that need to be validated to P2PE and PA-DSS. Alexander joined Trustwave in 2007, and has been a part of the EMEA management team since 2009.