The COVID-19 crisis has presented a variety of challenges to merchants and service providers around the world. We’ve received many questions about the impact of COVID-19 on PCI DSS audits, as well as PCI compliance in general.
The COVID-19 crisis has presented a variety of challenges to merchants and service providers around the world. We’ve received many questions about the impact of COVID-19 on PCI DSS audits, as well as PCI compliance in general. Below are some answers to the most commonly asked questions from businesses that need to perform a remote PCI DSS Audit:
Yes. All merchants and service providers are still required to maintain compliance with all requirements of the PCI DSS.
The PCI Security Standards Council (SSC) is aware that current circumstances limit travel and group gatherings throughout the world. In instances where travel restrictions and/or gathering limitations do not allow for a normal onsite assessment to be performed, the PCI SSC is temporarily allowing remote assessments to be performed if possible.
It is important to note that the PCI Council expects this possibility to be temporary. As travel restrictions are lifted and gathering is once again possible, onsite visits will again resume for all PCI DSS assessments.
Read the PCI SSC’s statement on COVID-19 here.
No. Some environments may have controls that cannot be verified remotely. In addition, onsite assessments should still be performed wherever possible. Work with your assessor to determine if a PCI DSS assessment is a necessary possibility for your environment.
Your assessor will work with you to find a method of evidence collection and review for your environment, if possible. For example, in-person interviews may be replaced with video chat sessions. Physical walkthroughs of CDE locations may be replaced with video footage of unaccompanied walkthroughs. In addition, system configuration files, screenshots, and even shared desktops on recorded video chat sessions may be used to verify compliance of system components and configurations.
PCI SSC blog on remote PCI audits during COVID-19.
See also: SecurityMetrics PCI Guide
All of them. The PCI SSC has expressed that all applicable PCI DSS requirements still need to be reviewed for compliance by the assessor. Because the results of remote assessments must be commensurate with the results of a normal onsite assessment, the time required to collect evidence may be longer than what would normally be expected for an onsite assessment.
We don’t know yet. As travel restrictions are lifted and normal gathering is allowed, onsite assessments will gradually become possible again. It is expected by the PCI SSC that onsite assessments will be performed wherever possible. As such, it is recommended that you prepare for an onsite assessment unless your assessor tells you otherwise. As your assessment date approaches, your auditor may work with you to make arrangements for a remote assessment if necessary.
Additional remote PCI DSS assessment considerations from the PCI Council.
Speak with your compliance-accepting entity regarding the timeframe of your report. Some acquirers and/or payment brands may grant an extension or allow partial reports based on extenuating circumstances.
.svg)
