What is the impact of Covid-19 on PCI DSS Compliance?
The spread of Covid-19 across the world has presented many logistical challenges for businesses from both a commercial and operational perspective. Employees working from home creates significant security and compliance challenges (APRA & PCI DSS compliance challenges to name but a few).
A key issue affecting PCI DSS compliance is the disbursed nature of remote working, making it difficult for PCI DSS Qualified Security Assessors (QSA’s) to conduct security assessments onsite, as the number of assessment locations has effectively exploded. Many finance staff and call centre agents are now processing credit card payments from their homes, and given the sensitive financial nature of this data, this creates several security challenges and fraud risks.
To address this specific challenge, the PCI SSC issued a memo (see here for memo) on 12 March 2020 to guide remote audits to be conducted as part of a PCI DSS compliance assessment.
The key points from the memo include:
Does the PCI DSS QSA need to be onsite?
Due to travel restrictions or advisories, there may be situations where it’s not possible to conduct an assessment on site.
If performing a remote assessment, the assessor has to ensure that any validation they perform provides the necessary level of assurance that the controls are properly implemented, and requirements are met. This must be done before they sign-off that a requirement is “in place” and complete a report on compliance.
Maintaining assessment integrity
Assessment integrity is of the highest importance, and all necessary steps must be taken to ensure that remote testing doesn’t affect the integrity of the assessment. Any remote methods used for observing implementations and gathering evidence must provide the same level of assurance as an onsite assessment.
Assessors also need to document in the report why onsite testing wasn’t performed and how remote testing was able to provide the equivalent level of assurance for compliance. This documentation needs to be kept as evidence in case of an audit assessment or another request.
Consider local assessor resources
If a QSA is unable to travel and conduct an onsite assessment due to health concerns, they are instructed to consider engaging with more localised assessor resources. This includes assessor companies engaging an approved subcontractor to perform the assessments on their behalf, on site in accordance with the QSA program requirements.
Do companies need to adhere to the full rigour of the PCI DSS standards
Yes, any company that’s stores, processes or transmits credit card data still needs to secure the data end to end, and comply with all of the standards, irrespective of the current pandemic conditions.
Where too from here?
What is clear from the communication coming out of PCI SSC is the recognition that these are exceptional circumstances facing businesses.
If businesses come across any situation that could compromise or negatively impact there level of risk it is recommended that they document any proposed changes and conduct a thorough risk analysis before changing or reducing a control related to PCI DSS compliance.
If you wish to cost-effectively secure your remote workers, in terms of securing payments processes and protecting customer data, please get in touch.
Also, if you want to to improve your customer’s online payment experience given the shift away from instore commerce to online payments, please give us a call.
If you have any concerns regarding PCI DSS compliance for your payment system during Covid-19, please contact us at email@example.com.