11
Mar
20

Remote Assessment Guidance Issued

The PCI SSC has issued guidance in response to the Covid-19 pandemic and conducting on-site fieldwork for PCI assessments.  Their blog post can be found here.

Given that governments around the world are saying that this pandemic could be ongoing until the summer, I would suspect that the Council will have to issue better guidance than what is in their latest blog post.  So I would expect more to come on this topic in the coming weeks.

03/19/2020 UPDATES: The Council has set up a Web page to track any Covid-19 updates. Also, remote assessments guidance has been provided and are allowed given the current pandemic conditions. Key is to discuss a remote assessment with the banks and/or brands involved.


8 Responses to “Remote Assessment Guidance Issued”


  1. 1 Mike
    March 16, 2020 at 2:27 PM

    Hi PCIGuru.

    Do you(or anyboday) have any info on people that needs to work from home/remotely when you are PCI Service Provider?, what would be the guidance?..

    How are banks call center doing? or any call center?

    thanks

    • March 16, 2020 at 2:41 PM

      I assume you support work from home in off hours as do most service providers. Now it’s all of the time (unless you need physical access to a device).

      I would rely on logging, virtual paperwork and any automated workflows to track that work is done and done properly with approvals.

      Good idea for a post though. Thanks.

      • 3 Mike
        March 16, 2020 at 3:06 PM

        Thanks.
        We don’t support work from home for agents, but because the coronavirus measures, we may need to send people to home..some may still need to take credit card through the phone (or soft phone), type it in on a form…. I was wondering if there is some guidance, beside using 2FA, security cameras at home, always limiting connectivity to the CDE.

        If using own employee laptop/PC is ok (which I don’t think), and from there open a virtual desktop environment such a citrix, vmware, etc. or using a dumb terminal to connect to a citrix with 2 FA would be ok..

      • March 17, 2020 at 3:25 PM

        Some things to consider.

        Softphones bring the workstation totally into scope because they are now directly connected to the CDE (VoIP system).

        Cameras are up to you but are not necessarily required because operators are doing only one card at a time.

        Using a BYOD is problematic because you do NOT control that device, so I would not recommend it.

        VDI is a way to go but still brings the workstation into scope because the keyboard is usually used for entering the PAN.

  2. 5 Erik
    March 12, 2020 at 3:37 AM

    I found the guidance a bit inconclusive.

    Does PCI mean that remote assessment is only acceptable if we are physically prevented from going (e.g. by legal restrictions on travelling, enforced quarantine, closed borders, etc).

    Or does PCI recommend that we avoid travelling use remote assessment where possible, as long as the integrity of the assessment can be upheld?

    • March 12, 2020 at 7:58 AM

      You are not the only one with questions and concerns. As I took it, when in doubt, talk to the card brands and/or banks involved and get their advice. That said, I think it will all come down to documentation to cover your butt if you do not go onsite.

  3. March 11, 2020 at 4:28 PM

    The guidance seems useless. I don’t think a remote assessment can provide the level of assurance required for PCI DSS.

    • March 12, 2020 at 8:01 AM

      Yeah, I had a lot of people say that privately. I think the biggest problem comes from travel bans over which none of us have control. You could get somewhere and then have no way back home. It’s like when a lot of people got caught after 9/11 and ended up having to rent cars to drive back home.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


Announcements

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

March 2020
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 2,264 other followers


%d bloggers like this: