Remote Assessment Guidance Issued

The PCI SSC has issued guidance in response to the Covid-19 pandemic and conducting on-site fieldwork for PCI assessments.  Their blog post can be found here.

Given that governments around the world are saying that this pandemic could be ongoing until the summer, I would suspect that the Council will have to issue better guidance than what is in their latest blog post.  So I would expect more to come on this topic in the coming weeks.

03/19/2020 UPDATES: The Council has set up a Web page to track any Covid-19 updates. Also, remote assessments guidance has been provided and are allowed given the current pandemic conditions. Key is to discuss a remote assessment with the banks and/or brands involved.


8 Responses to “Remote Assessment Guidance Issued”

  1. 1 Mike
    March 16, 2020 at 2:27 PM

    Hi PCIGuru.

    Do you(or anyboday) have any info on people that needs to work from home/remotely when you are PCI Service Provider?, what would be the guidance?..

    How are banks call center doing? or any call center?


    • March 16, 2020 at 2:41 PM

      I assume you support work from home in off hours as do most service providers. Now it’s all of the time (unless you need physical access to a device).

      I would rely on logging, virtual paperwork and any automated workflows to track that work is done and done properly with approvals.

      Good idea for a post though. Thanks.

      • 3 Mike
        March 16, 2020 at 3:06 PM

        We don’t support work from home for agents, but because the coronavirus measures, we may need to send people to home..some may still need to take credit card through the phone (or soft phone), type it in on a form…. I was wondering if there is some guidance, beside using 2FA, security cameras at home, always limiting connectivity to the CDE.

        If using own employee laptop/PC is ok (which I don’t think), and from there open a virtual desktop environment such a citrix, vmware, etc. or using a dumb terminal to connect to a citrix with 2 FA would be ok..

      • March 17, 2020 at 3:25 PM

        Some things to consider.

        Softphones bring the workstation totally into scope because they are now directly connected to the CDE (VoIP system).

        Cameras are up to you but are not necessarily required because operators are doing only one card at a time.

        Using a BYOD is problematic because you do NOT control that device, so I would not recommend it.

        VDI is a way to go but still brings the workstation into scope because the keyboard is usually used for entering the PAN.

  2. 5 Erik
    March 12, 2020 at 3:37 AM

    I found the guidance a bit inconclusive.

    Does PCI mean that remote assessment is only acceptable if we are physically prevented from going (e.g. by legal restrictions on travelling, enforced quarantine, closed borders, etc).

    Or does PCI recommend that we avoid travelling use remote assessment where possible, as long as the integrity of the assessment can be upheld?

    • March 12, 2020 at 7:58 AM

      You are not the only one with questions and concerns. As I took it, when in doubt, talk to the card brands and/or banks involved and get their advice. That said, I think it will all come down to documentation to cover your butt if you do not go onsite.

  3. March 11, 2020 at 4:28 PM

    The guidance seems useless. I don’t think a remote assessment can provide the level of assurance required for PCI DSS.

    • March 12, 2020 at 8:01 AM

      Yeah, I had a lot of people say that privately. I think the biggest problem comes from travel bans over which none of us have control. You could get somewhere and then have no way back home. It’s like when a lot of people got caught after 9/11 and ended up having to rent cars to drive back home.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2020

%d bloggers like this: