The PCI SSC has issued guidance in response to the Covid-19 pandemic and conducting on-site fieldwork for PCI assessments. Their blog post can be found here.
Given that governments around the world are saying that this pandemic could be ongoing until the summer, I would suspect that the Council will have to issue better guidance than what is in their latest blog post. So I would expect more to come on this topic in the coming weeks.
03/19/2020 UPDATES: The Council has set up a Web page to track any Covid-19 updates. Also, remote assessments guidance has been provided and are allowed given the current pandemic conditions. Key is to discuss a remote assessment with the banks and/or brands involved.
PCI Guru 
Hi PCIGuru.
Do you(or anyboday) have any info on people that needs to work from home/remotely when you are PCI Service Provider?, what would be the guidance?..
How are banks call center doing? or any call center?
thanks
I assume you support work from home in off hours as do most service providers. Now it’s all of the time (unless you need physical access to a device).
I would rely on logging, virtual paperwork and any automated workflows to track that work is done and done properly with approvals.
Good idea for a post though. Thanks.
Thanks.
We don’t support work from home for agents, but because the coronavirus measures, we may need to send people to home..some may still need to take credit card through the phone (or soft phone), type it in on a form…. I was wondering if there is some guidance, beside using 2FA, security cameras at home, always limiting connectivity to the CDE.
If using own employee laptop/PC is ok (which I don’t think), and from there open a virtual desktop environment such a citrix, vmware, etc. or using a dumb terminal to connect to a citrix with 2 FA would be ok..
Some things to consider.
Softphones bring the workstation totally into scope because they are now directly connected to the CDE (VoIP system).
Cameras are up to you but are not necessarily required because operators are doing only one card at a time.
Using a BYOD is problematic because you do NOT control that device, so I would not recommend it.
VDI is a way to go but still brings the workstation into scope because the keyboard is usually used for entering the PAN.
I found the guidance a bit inconclusive.
Does PCI mean that remote assessment is only acceptable if we are physically prevented from going (e.g. by legal restrictions on travelling, enforced quarantine, closed borders, etc).
Or does PCI recommend that we avoid travelling use remote assessment where possible, as long as the integrity of the assessment can be upheld?
You are not the only one with questions and concerns. As I took it, when in doubt, talk to the card brands and/or banks involved and get their advice. That said, I think it will all come down to documentation to cover your butt if you do not go onsite.
The guidance seems useless. I don’t think a remote assessment can provide the level of assurance required for PCI DSS.
Yeah, I had a lot of people say that privately. I think the biggest problem comes from travel bans over which none of us have control. You could get somewhere and then have no way back home. It’s like when a lot of people got caught after 9/11 and ended up having to rent cars to drive back home.