Watch to learn how you can best be prepared for a remote PCI DSS Assessment.
Having issues accessing the video above? Watch the video here.
They are the questions on everyone’s minds: how has the COVID crisis affected PCI Compliance? How can we conduct an assessment if we can’t travel or go into the office? Do we even need to do audits? Beyond that, how might the assessment process look in coming months? Will the Council allow remote assessments? How long will they allow them?
After all, the PCI Council explicitly states that, “the QSA is expected to be physically on site for each PCI DSS Assessment, though the duration of the on-site visit will vary.” (PCI SSC FAQ 1455) Matt addresses this issue in detail and answers many of the common questions businesses have about how to conduct remote PCI Assessments. During this time of uncertainty, we want to help businesses know what they can expect and how they can best be prepared for their PCI DSS Assessments and deadlines–which is the last thing they want to be unsure about right now.
This webinar was hosted on September 23rd, as part of SecurityMetrics Summit 2020.
Welcome to my presentation, how to conduct a remote PCI assessment.
My name is Matthew Halbleib, and I'm the director of assessments at SecurityMetrics.
At SecurityMetrics, I focus on data security and compliance to help our customers be more secure and avoid data breaches.
So let's just take a brief look at the agenda then. First, we'll look at what the PCI Security Standards Council has said about remote assessments.
Then we'll examine remote assessments. Are they right for you? What can be done to facilitate the remote assessment, etcetera?
And lastly, we'll talk about what things we might what things might look like going forward.
So the PCI guidance on remote assessments.
Really, there's three areas. Pre COVID nineteen, March twenty twenty, and then post COVID nineteen.
So pre COVID nineteen in FAQ fourteen fifty five, the council said in part, the QSA is expected to be physically on-site for each PCI DSS assessment, though the duration of the on-site visit will vary.
So clearly, you can see that we are required to be on-site. We call this BC or before COVID.
Then in March twenty twenty, we started seeing that, evidence that the PCI Council might change their their opinion on remote assessments.
And in April of twenty twenty, the council recognizes remote assessments might be necessary. Or in their words, quote, the PCI Security Standards Council recognizes there may be exceptional circumstances that temporarily prevent an assessor from being able to travel to an on-site location to conduct an assessment, such as such as travel advisories or restrictions relating to coronavirus.
So it's not news to anybody now, but, you know, back in twenty twenty, that was a sea change that they would even permit an on-site assessment.
So what happens after COVID nineteen?
A remote assessment will not be the norm for future assessments.
As a matter of fact, in the most recent assessor newsletter, the PCI Council reiterated the expectation that on-site assessments are expected once the situation allows for it again.
So this process is only considered for extreme circumstances as acknowledged by the PCI Security Standards Council.
Next, let's talk about remote assessments.
We'll talk about these, high level areas in more detail in the next few slides, but we'll talk about remote assessments, the pre assessment phase, the assessment, and then post the assessment.
So remote assessments, to be or not to be. Will your bank, processor, or card brand allow delayed reporting? This is one option for you. If they'll allow you to delay your reporting, then you might consider delaying reporting as opposed to doing, a remote assessment, especially if you have systems or locations that you can't get into as easily. Maybe you've got data centers that don't permit cameras and things.
So already, the PCI Council has even taken some steps to help in this regard.
The council has announced that for p to p e assessments due for a three year reassessment for October thirtieth of twenty twenty, they may be given a six month extension to their reassessment date.
And in a separate bulletin that they put out, they said, due to supply chain disruptions related to the coronavirus, the PCI Council has extended the expiration date of the PIN transaction security point of interaction v three devices.
That's a mouthful.
V three devices from thirtieth of April twenty twenty to the thirtieth of April twenty twenty one.
Next, ask yourself, can a remote assessment provide the same level of assurance as an on-site assessment?
If not, then you need to conduct an on-site assessment.
Please remember the the assessor must document within the ROC why remote testing was performed and how remote testing had an equivalent level of assurance as an on-site visit.
Also remember that the integrity of the assessment must not be negatively affected.
The PCI Council has reiterated the point to all QSAs that the integrity of the assessment must not be compromised to enable a remote assessment.
And ask yourself, is there anything that cannot be remotely assessed? And if there of course, if there's anything that can't be remotely assessed, then you have to do it, on-site.
So at this point, let's assume you've made the decision to conduct a remote assessment.
If changes have been made to the flow of cardholder data environment due to COVID, make sure you perform a scoping exercise and ensure you have the proper protections in in place before the, you know, for these changes for your to your CDE before we don't want to do the assessment and then have it take a long time afterwards to implement a bunch of changes to your environment to make it compliant.
Another thing to consider is don't weaken or compromise your CDE protections in order to facilitate a remote assessment.
If you've never allowed remote access into a particular environment within your CDE, it might not be the best thing then to all of a sudden enable remote access into these systems. That could be introducing vulnerabilities and things into your environment that didn't exist before and might be exploited by an attacker if you didn't do them correctly.
Also, consider what sort of travel restrictions might be in place. Even if you're going to do part of it remote, but you have to do some of it on-site or you have to gather people to a particular location to examine the systems, even if the assessor is not gonna be there, then consider are there government or company specific restrictions that would make it difficult to get to a location.
There's, some states and countries that have a quarantine period for people who come in from out of state or out of the country that may have to stay in a hotel for fourteen or fourteen days. So just consider those travel restrictions and how you're gonna get around them or not well, not get around them, but how you're going to get through them.
And then lastly, if reporting will be delayed, me immediately notify your processor or merchant bank.
Alright.
Assess the assessment itself.
Video conferencing is, of course, the tool that everybody's pretty much using to to, do these remote assessments. But you have to decide the which tool you're going to use. Is it gonna be Zoom or Google Meet or WebEx or or Skype or whatever?
Just consider which tool it is. Do all your platforms work with that particular tool? Is it secure? How many people does it support on one conference?
Does it allow screen sharing in some way?
And from that then also, you know, with the screen sharing and things, consider whether you maybe need, you know, more than one person displaying their screen at a time.
Also, consider the fact that a broader array of evidence might be needed. What I mean by that is sometimes when we're on-site and we ask somebody to demonstrate a particular process, it's easy for us to watch as that person walks through a process, whether that involves physical paper or whatever.
It's easy enough to demonstrate that process and fairly simple.
If you're doing it remotely, that may that may take a little bit of time and may actually require you to to take pictures of more things or to take a video of something that, you physically do that I might see in person if I were there. So, you know, a broader array of evidence may be needed to be captured.
And test out your remote technologies that you'll use during the assessment beforehand with your assessor assessor to make sure that they'll be sufficient to perform the remote assessment.
Also, consider whether an independent camera is needed. Sometimes, like, if we're at a store and we're looking at point of interaction devices and you've got one person on on the device, on a device that's actually part of the conference, you you may need a second a second camera where you can actually display, like the POIs and the serial numbers and the security seals and things like that. So just consider having a a second camera there as well so you can keep both somebody on the conference as well as demonstrating some of the evidence.
And then I'd highly recommend that you test all these things in advance.
Don't wait for the day of the assessment to try and be using some of these new tools.
You may find that, like, if you're doing something over a cellular connection that you don't have a good enough connection in certain locations to actually even join a video conference.
So test them out in advance. It's very helpful for everybody.
Some additional things here. Avoid adding additional risk just to do a remote assessment.
I mentioned before about adding in remote access and things.
You know, you don't want to add in additional risk just so that you can do a remote assessment. If you, you know, don't add accounts just so an assessor can get on to a system when you normally wouldn't grant that person access.
Also, make sure that all locations permit cameras.
You know, some data centers and things don't allow you to bring a camera in or didn't in the past, and you may need to make special arrangements for a remote assessment with COVID. And it seems like most of the data centers are being fairly accommodating on this, but just make sure that you can get a camera in where you need it.
Also, make sure you have a backup assessment plan in case the, during the event, the intended remote technology fails.
For whatever reason, have a have a backup technology you can use.
Also, work with your assessor to determine what evidence can be provided prior to the remote assessment.
That evidence, if gathered in advance, can help facilitate the remote assessment on camera. I mentioned, you know, inspecting, POIs in a store or something. If you can get those each requirement nine dot nine requires that, stores and things inspect their pads on a regular basis and, record serial numbers and things like that. So if there's a log that they there should be a log that they're keeping. If the assessor can have a copy of that log in advance, then when we see a device on screen, we can also more easily compare your inspection log with the numbers that are on the device itself and make sure that those coincide.
Also, just, on a privacy kinda note here, make sure all people are okay okay with being on camera. Some countries, that's a little more difficult than others.
Lastly, test in advance all the tools you need to capture evidence. Make sure that you're you can capture the screenshots that are needed. You can get copies of any files that are needed, maybe packet captures, videos, whatever. Just test in advance the tools you'll need to capture the evidence.
So, post the assessment, some things to consider.
Have a standard method to label, categorize, and document all collected evidence. That'll be helpful for you as well as the assessor because you'll be able to document all the things that you have and which requirements they apply to and see if you're missing anything.
And so, that'll also help your your assessor on the backside when he has to write the report because he'll clearly know which evidence applies to which requirements.
Also, our range is a secure way to convey all evidence to the assessor.
You can't just upload this stuff in the clear, so you have to have some sort of secure method to exchange the data, and it will be a lot of data.
Also, you might need to allocate more time to complete the entire assessment process and report on compliance.
We found that, it seems to be taking a little longer to do remote assessments, And some of that's because, like I mentioned, I can actually watch a process in place where now I have to kinda break it down into discrete steps and ask for evidence and show me this and switch between camera views and things like that. It's just taking us a little longer to do some of these, remote assessments.
So going forward, bunch of different things to consider here. Will it continue?
No. COVID nineteen won't go you know, it's not going away anytime soon, but it also will will go away at some point. And in the most recent assessor newsletter, the PCI Council reiterated the expectation that on-site assessments are expected once, are expected once the situation allows for it again.
Remote workers.
This presents scoping challenges and control challenges. If you're going to have more remote workers, make sure that you have the proper controls in place to protect both the systems they're using and how they connect to your your CDE.
You've got two factor authentication for all of that.
So just, you know, examine your remote workers. That presents some scoping challenges and control challenges for you.
Think about increased communications as well. With more people working remotely, it's important to increase your communications in all respects.
Insufficient communications can lead to breakdowns in the operation of security controls.
So for example, who's handling alerts, who's documenting the certain control activities were were properly completed, and who's covering for someone when they're on vacation, etcetera. When you're all in one location, those things are more easily noticed. But when you're dispersed and everybody's working remotely, you have to make sure that those are properly covered, and that that's just good communications.
So, also remember, is the documentation sufficient, you know, that you're keeping on your controls? Is your documentation sufficient to give the assessor confidence that the controls are operating effectively?
Next, I have your incident response.
You might need to auto modify your incident response plans to make sure everyone can be contacted when needed. Make sure that you have, good contact details on them, cell phones, alternate communications methods. If cell phones are down for whatever reason, whatever the incident may be, cell phone networks may be jammed and you might not be able to get through to people. Have a different means of connecting them, whether that's email or instant messaging or something else. So consider those kinds of things too when it comes to your incident response plan.
Also, consider that your incident response team might need new tools that allow them to work the event remotely and effectively collaborate with everyone who's on the on the incident to resolve the problems.
Think about increased documentation. So examine the level of documentation that you're keeping that demonstrates security controls are in place, effective, and properly maintained.
And is the documentation accessible remotely, and is it sufficient to demonstrate those points to your assessor, not only this year, but going forward?
Have clear responsibilities defined.
Make sure teams and individuals within teams clearly understand who's responsible for operating, maintaining, and documenting the performance of all security requirements or security operations.
Watch your PCI scope is the next thing I have. Security needs to become better integrated into all business processes to better inform business decisions and make sure all parties understand the implications of these particular business decisions on the security or PCI posture of the company.
So, for example, if a business decides to have call centers, call center workers take credit cards at home, that has major implications to the PCI and the security of any data that the home based users are handling.
It's easy to say that's a good COVID process, but now you need to put in place the security controls around that. And if if, security and people knowledgeable of PCI weren't involved in that decision, it's easy for the business to make the decision and then recognize too late that they've increased their CDE and they have a bunch more, controls or even money they have to spend to implement security properly in those environments.
Also, ask for help. If you're unsure about the PCI implications of a particular business decision, reach out to an expert who can help you better understand the consequences of a particular plan and potentially help identify alternatives.
So to sum everything up in a few short words, prepare in advance, examine your tools, and watch your scope.
Thank you for your time, and I hope you've learned something from this presentation. My name is Matthew Haldwein.
.svg)
