Principles and procedures for conducting remote assessments to ensure PCI DSS compliance with PCI SSC standards
The PCI SSC has recently issued updated guidelines and procedures for remote assessments. In the following section, we aim to answer several important inquiries:
What are the Main Contents?
This document outlines a set of principles and procedures that establish the framework for conducting remote assessments to ensure PCI DSS compliance with PCI SSC standards, including PCI DSS. It provides comprehensive best practices and guidelines for employing remote testing methods in various types of testing activities. Additionally, it offers a template to support the justification of utilizing remote assessment activities for generating Reports on Compliance (ROC) and Reports on Validation (ROV). Moreover, it delineates the requirements and expectations for PCI SSC assessors when conducting remote assessments, with a specific emphasis on ROCs.
What Led to it Being Published?
Due to the advent of the COVID-19 pandemic, the PCI SSC received an influx of inquiries regarding the viability of remote assessments in situations where onsite assessments were not feasible.
In order to address these concerns, the Council published informative content in the form of blogs, webinars, and forums, offering guidance on remote assessments. However, to provide a more formal and comprehensive framework for the suitability and implementation of remote assessments, the Council has now introduced the Remote Assessment Guidelines and Procedures document. This document presents a more detailed and structured approach to conducting remote assessments.
Is the Council Endorsing the Use of Remote Assessments?
Yes, remote assessments are possible, but there are several conditions to consider. The PCI SSC expresses a preference for conducting compliance assessments against their standards through onsite visits. This preference stems from the belief that onsite assessments offer better insights and provide higher levels of security assurance compared to remote assessments.
Consequently, remote assessments should only be considered when there are clear and unavoidable obstacles that prevent an onsite assessment from being conducted. If such obstacles do not exist, assessors are expected to carry out onsite assessments instead.
Ultimately, the goal is for assessors to acquire the necessary level of assurance that organizations are fully compliant with the requirements of PCI Standards, such as PCI DSS.
Are PCI Remote Assessments Easier and Quicker to Conduct?
While remote assessments are common in various industries, this is generally not the case with PCI assessments. Conducting remote assessments for PCI compliance typically demands thorough and meticulous preparation and planning, which may include conducting a feasibility study. Additionally, remote assessments may take longer to complete compared to onsite assessments.
It is essential for assessors to uphold the same level of rigor and integrity in remote assessments as they would in onsite assessments. There are situations where onsite testing may be necessary to ensure the assessment is fully carried out.
What are the Main Requirements Attached to Conducting Remote Assessments?
Before conducting remote assessments, it is crucial to perform a comprehensive feasibility analysis. This analysis allows the client and the assessor to collaborate and discuss the scope, challenges, and potential risks associated with remote assessments.
The results of the feasibility analysis must be documented and included in the relevant Report on Compliance (ROC). Effective and extensive communication between the assessor and the organization is vital not only during the planning phase but throughout the entire assessment process.
Continuous monitoring and evaluation of the remote testing methods should be carried out to ensure their effectiveness and to determine if additional testing is required.
It is imperative that remote assessment activities do not compromise or have any negative impact on the security of the assessed environment. If conducting a remote assessment would violate an entity’s security rules or any PCI standard security requirement, an onsite assessment becomes necessary.
The assessor bears the ultimate responsibility for evaluating the level of assurance provided by the remote assessment. If the assessor cannot attain the required level of assurance to generate a passing audit result, an onsite assessment must be arranged, or else the assessment will remain incomplete.
Where are Remote Assessments ‘Appropriate’?
There are various circumstances where conducting onsite assessments may be restricted or impractical. These include:
External factors such as health and safety restrictions imposed by government bodies, which may prevent assessors from traveling to or being physically present at a site that involves face-to-face contact. Additionally, certain geographic locations may be inaccessible or difficult to reach.
Business and operational considerations may favor the use of remote assessment methods over onsite testing. For example, organizations operating solely in the Cloud without physical premises or facilities, or those that have outsourced all their infrastructure to a third-party provider that has undergone separate PCI compliance assessments. In such cases, the organization’s staff may work remotely from home.
In situations where assessment requirements primarily involve reviewing documentation (such as policies and processes) and conducting interviews, without the need to observe processes, systems, or the physical environment of the organization.
It is essential that the reasons for not conducting onsite assessments are justifiable and based on a rational and realistic evaluation of the circumstances. Moreover, the assessor must be able to attain the necessary level of assurance required for assessing a particular requirement.
If the desired level of assurance cannot be achieved remotely, the assessor must explore alternative means to obtain that level of assurance, which may involve continuing the assessment onsite at the organization’s location.
Where are Remote Assessments not Appropriate?
The straightforward response to this question is that onsite assessments are preferred when it is not possible to justify a remote assessment based on a rational and realistic evaluation of the situation, and when the assessor cannot obtain the necessary level of assurance to assess a specific requirement.
• The PCI SSC emphasizes onsite assessments for PCI DSS assessments whenever feasible due to several reasons:
• Onsite assessments allow assessors to directly observe processes and controls as they occur, providing greater insight into their effectiveness.
• There is less opportunity for non-compliances to be concealed or excluded from the review during onsite assessments.
• Face-to-face interactions during onsite assessments enable assessors to efficiently gauge the interviewees’ understanding and knowledge of PCI DSS.
• When onsite, it is easier to involve additional resources in interviews if needed. Experiences during the COVID-19 pandemic have highlighted the benefits of onsite assessments.
• Remote assessments require careful planning from both the assessor and the organization to ensure that the necessary evidence and assurance can be obtained to assess whether a requirement is in place or not.
• If the required level of assurance cannot be attained through remote assessment, the assessment is considered incomplete until onsite testing can be performed.
Are there Additional Documentation Requirements in Completing a ROC?
Indeed, the Guidelines document includes an Appendix A, Addendum for ROC/ROV, which serves as an additional section for the assessor to elaborate on the rationale and extent of conducting the assessment remotely.
This addendum requires the assessor to provide an explanation of why the decision was made to perform the assessment remotely and to what degree. Additionally, it mandates the documentation of the specific types of remote testing conducted, such as reviewing documentation and conducting interviews with personnel. The assessor is also responsible for confirming that a thorough assessment was carried out and that a high level of confidence in the overall assessment has been achieved.
It is crucial for the assessor to be able to justify and support the decision to opt for a remote assessment, as well as the findings detailed in the ROC. As mentioned earlier, the results of the feasibility analysis must be included in the relevant ROC to provide additional context and transparency.
How Does the PCI SSC Document Help?
In addition to outlining procedures, the document also encompasses best practices and guidelines for various remote testing methods. These methods include documentation reviews, interviews, examination of systems and data, observations of processes and physical environments, as well as interactive testing.
For each type of testing activity, the document delves into:
• Potential challenges and considerations that may arise during remote assessments, such as factors that can impact the reliability of evidence gathered remotely.
• Additional testing activities that can be employed to mitigate any gaps in reliability and assurance, ensuring a thorough assessment.
• Potential scenarios where remote testing may not be feasible or suitable, requiring alternative approaches to be considered.
• By addressing these aspects, the document provides comprehensive guidance to assessors, enabling them to navigate the intricacies of remote assessments effectively.
What about Post COVID-19?
The primary aim of the document is to facilitate the proper and effective use of remote assessments even beyond the context of the COVID-19 pandemic. It provides guidance on various scenarios where onsite assessments cannot be feasibly conducted and, more significantly, explores how remote assessments can be employed to address such situations.
By presenting these scenarios and highlighting the potential applications of remote assessments, the document seeks to establish remote assessment as a valuable and viable approach in a broader range of circumstances. It aims to provide assessors with the necessary tools and understanding to utilize remote assessments appropriately and effectively, ensuring compliance with PCI SSC standards.
Assessment on New Guidelines
The formal issuance of a document by the SSC outlining the appropriate use of remote assessments and the circumstances in which they should occur, including PCI DSS audit, is indeed a positive development. It is crucial to recognize that remote assessments, including PCI DSS audit, are not meant to be shortcuts or convenient alternatives. They require meticulous planning, a strong working relationship between the assessor and the client, and the provision of detailed additional documentation when completing the ROC. The clear guidelines provided in the document, including those related to PCI DSS audit, are also praiseworthy, as they outline the processes to follow when onsite assessments are not possible due to external factors (such as health and safety concerns or inaccessible locations), or when business and operational practicalities favor onsite assessments (such as in Cloud-based operations or when testing is limited to interviews or document reviews). However, it is important to acknowledge that every organization is unique, and the suitability of remote or onsite assessments, or a combination of both, including PCI DSS audit, will vary.