A QSA Reflects on the COVID-Affected Security Landscape

By Sherri Collis on June, 25 2020

Get latest articles directly in your inbox, stay up to date

Back to main Blog
Sherri Collis

Sherri Collis, our Director of PCI Services, is an over twenty year PCI veteran, where she began her PCI career obtaining PCI compliance for a data center hosting / managed services company to the Visa CISP in 2002/2003. She has spent over fifteen years performing global consulting. Sherri has written and presented on a variety of topics including PCI compliance (versions 1.1, 2.0, 3.0, and 4.0), ITIL, IT governance, and Sarbanes-Oxley security and compliance. Due to her passion for bringing females into the cybersecurity field, she jointly presents “You Can Get There from Here,” a presentation discussing steppingstones for transitioning skills into the cyberworld. In 2021, Sherri was nominated by her peers and selected/recognized by the PCI Council in their “Paving the Way: Inspiring Women in Payments” series.

There really is more than one path through the woods....

I took some time recently to reflect on the changes our world has endured over the past few months. It seems like much of what I do now is so very different. See if you can relate - I find myself thinking things like, “Back in the day, I would just get up and go to a restaurant.” Or “Back in the day, I used to get on an airplane and spend time onsite with my clients.”

Currently, I would struggle to determine the last time I was in an actual restaurant, on a plane, or at a client site.

This change has made the world of PCI Assessments very different. I say different because I wouldn’t say it’s a good change or a bad change – I believe it’s a bit of both.

I became a Qualified Security Assessor (QSA) in March 2008, and I have performed hundreds of assessments through the years. I have now personally performed several assessments remotely using GoToMeeting, Zoom, and FaceTime. Doing this has shown me that assessments can be completed totally remotely. Where it isn’t ideal, the technologies do make it possible.


These last few months


All interviews were performed with cameras on as a requirement, so all interviews were, in essence, face-to-face. Where these technologies don’t replace being in the room together, they definitely make it close to actually being there. You are able to see the person you are asking questions of, and you are able to see and capture any evidence that may be mentioned and shown during an interview.

Technology observation sessions were accomplished using both GoToMeeting and Zoom, and at no time did I find it difficult to tell my clients’ technical personnel the commands I needed them to run to obtain the needed evidence of procedures being followed (e.g., patching, antivirus updates, group policy, etc.).

In some ways, getting screen captures for the technical sessions was more efficient because I was granted permission by my clients to capture screenshots during the sessions real-time. I didn’t have to track all the needed screenshots, and then have the client go back to do the screenshots again to provide or count on every screenshot requested during the interview to be captured and sent back our way.

Physical tours of facilities have been much tougher, but also possible. Data centers with onsite personnel were able to facilitate tours using FaceTime. As the onsite personnel walked through the data center, they used their phone camera to show the ingress and egress points, camera systems, video retention, visitor procedures, etc.

In some cases, store visits were halted altogether as stores were closed during certain stages of the COVID-19 outbreak. Also, in some cases, the stores re-opened before completing their assessment, so I was able to do both onsite store visits as well as visits facilitated by FaceTime.

Where I was able to perform complete PCI Assessments remotely including interviews, required sampling and observations, and facility tours, nothing quite beats being able to work side-by-side with our clients helping them to understand how to apply PCI within their environment and helping them get over the finish line to meet their compliance timelines.

Online’s Consulting Practice

We take pride in building a Trusted Advisor rapport with clients such that clients know they can call any time to ask questions. I would prefer to take a few minutes to chat about the impact an environment change could have on our client’s secure environment than to see our clients’ names on the 5:00pm news for the wrong reasons.

That rapport is best built while spending time in person with our clients, year over year, getting to know each other better to gain trust.

Looking toward the future, I would hope that we have learned we can do more than we think we can through use of the available technologies. I would hope we could limit some of the travel associated with assessment work, even if we just spend less days onsite while having a more observation-focused onsite schedule.

I believe people are coming to appreciate the time they are not spending racing to and from airports, 3:00 a.m. wake-up times to catch that early flight, sleeping in hotels, having 3 square meals a day at nearby restaurants, and being away from their friends and family while living on the road.


I can only hope that when things get settled with COVID, we won’t forget the lessons learned and will continue to take advantage of the technologies’ advancements to improve quality of life for assessors, all those folks who are regularly traveling around the world for their professions, and for the families who constantly miss their loved ones on the road.


Submit a Comment

Get latest articles directly in your inbox, stay up to date