Ongoing PCI DSS adherence mandates that applicable organizations complete security assessments to verify compliance. Although a Qualified Security Assessor (QSA) will conduct onsite compliance audits and attestations, you may be eligible for a PCI DSS remote assessment. Read on to learn if you’re eligible.
Eligibility Criteria for PCI DSS Remote Assessment
A PCI DSS remote assessment helps PCI-eligible organizations meet their compliance needs when onsite evaluations are not feasible. Unlike onsite reviews, PCI DSS remote assessment uses technology to connect QSAs and PCI-eligible organizations.
Eligibility for PCI DSS remote assessment depends on:
- Need for assessment
- Feasibility of assessment
Conducting a PCI DSS assessment, whether onsite or remote, will help protect sensitive card payment data and strengthen overall cybersecurity.
Do You Need a PCI DSS Remote Assessment?
The PCI Security Standards Council (SSC) mandates onsite assessments for all PCI-eligible organizations, except when there is a critical need for a PCI DSS remote assessment. Demonstrable need cases for remote PCI audits include factors related to or beyond travel restrictions.
You should consider conducting a PCI DSS remote assessment if legitimate reasons restrict a QSA’s ability to travel to your site of operation.
Demonstrable Need Cases for Remote PCI Audits
Examples of circumstances (related to travel restrictions) requiring remote PCI audits include:
- Health and safety concerns (e.g., pandemic-affected areas)
- Government advisories related to travel restrictions
- Difficulty reaching physically inaccessible geographic locations
Other factors beyond travel restrictions that affect the overall feasibility of onsite assessments include:
- PCI-eligible organizations that operate virtually, without any physical facilities, wherein:
- All IT infrastructure is outsourced to third-party service providers (separately assessed for PCI compliance)
- The entire organization’s workforce operates remotely
- There’s no need to test Requirement implementation physically (e.g., observation of processes, systems)
- The organization’s PCI compliance assessment obligations limit testing to :
- Documentation reviews (e.g., security policies)
- Interviews with personnel (e.g., IT security, management)
If you are considering a PCI DSS remote assessment, you must first evaluate the feasibility of an onsite evaluation. Then, only when it’s deemed necessary should you plan for a remote assessment.
Feasibility Analysis for PCI DSS Remote Assessment
Where legitimacy exists for PCI DSS remote assessment, your organization must conduct a feasibility analysis to determine the most appropriate alternatives to the standard evaluation.
A thorough feasibility analysis helps a QSA and PCI-eligible organization decide the applicability of PCI DSS remote assessment.
Considerations for a Feasibility Analysis
Determining the feasibility of remote PCI audits depends on the reliability of the processes used for the assessment. Specific considerations include:
- Agreement between a QSA and PCI-eligible organization on the assessment technologies and tools used, ensuring:
- All involved personnel are fully trained and comfortable with their use
- Stability of connections, with high bandwidth and transmission quality
- Access to relevant information and materials during the assessment
- Identification and authentication of participants
- Unhindered observation of facilities, processes, and activities
- Availability of personnel for QSA assessment, ensuring:
- Access to all relevant personnel for interviews
- Presence of authorized personnel for walkthroughs in restricted areas
- Operational support to facilitate a thorough assessment
- The ability of trained personnel to restore processes to current operational condition, should contingencies occur during assessment
- Completeness of assessment scope, ensuring:
- Personnel understanding of assessment complexities
- Completion of assessment activities and subsequent evaluation of controls, initiating remediation processes, if necessary
- Quality of data generated from assessment, ensuring sufficient digital quality of requested documentation and data
Conducting a feasibility analysis helps determine whether you should conduct remote PCI audits and minimizes the security risks from improper QSA assessments.
Addressing Outcomes of Feasibility Analysis
Working together with a QSA, your organization should review the results of the feasibility analysis to determine:
- Risks and challenges associated with remote testing methods
- Mitigation controls to address risk and challenges
- The best means to ensure the feasibility analysis is:
- Documented and agreed upon by both QSA and PCI-eligible organization
- Submitted along with applicable Report on Compliance (ROC) (by the QSA)
- Securely stored for possible audit by SSC stakeholders
- Which testing activities to conduct (i.e., remote vs. onsite)
- Whether hybrid testing is feasible, combining remote and onsite assessment
- If the remote assessment is not feasible
PCI DSS remote assessment feasibility analysis will help identify the most appropriate methods for assessing PCI compliance.
Hybrid PCI DSS Assessment Model
Combining PCI DSS remote assessment with onsite assessment provides two critical strengths:
- Non-observational processes (e.g., document reviews) can be conducted remotely, minimizing time lost during travel and financial burdens.
- Observational processes (e.g., system and network control inspection) can be conducted onsite, maintaining the—generally—greater effectiveness of this evaluation method.
Working with a leading QSA will help determine the best approach for your organization to assess and report PCI compliance, including PCI DSS remote assessment.
Determine Appropriate PCI Compliance Assessment
Conducting the appropriate PCI compliance assessment is critical to achieving PCI DSS certification and strengthening card payment security.
RSI Security is an experienced QSA that will help address all aspects of compliance assessment and determine your eligibility for a PCI DSS remote assessment. Contact RSI Security today to learn more.