Remote PCI Assessments: We're Adapting With You

Recent events have changed the world we typically wake up to, and it is continuing to change. The ways we interact, the ways we seek necessities, and the ways we conduct business, have all shifted in a very short period of time. 

For some retailers, business is continuing as consumers shift their shopping habits online. What doesn't seem likely to change however, is the responsibility that retailers have to protect the consumers' personal information.

As somebody who performs PCI assessments for our clients, our lives normally include the following activities:

• Walking through and sitting in airports
• Getting on airplanes
• Riding in taxis, Ubers/Lyfts, or getting rental cars
• Staying in hotels
• Dining in restaurants
• Sitting in conference rooms with large numbers of people

Today's reality changed all of that.  We now have to think, “If I do this, could someone else fall ill due to their contact with me?”  The focus on caring for our health, and even more importantly, making sure we don’t harm someone else has impacted how we do our jobs. We need to consider others with compromised immune systems, or folks who are older and more at risk; and this motivates us to make different choices.

When we perform PCI assessments, we strongly prefer to be on-site with our clients for a certain period of time, but under these unique circumstances; we are all best served by performing this work virtually.

Delivering a Remote PCI Assessment

The question for us isn't whether the technology will support remote delivery, because it will. The bigger question is how a QSA can deliver a remote assessment given the requirements we have to do the following:

• Examine documentation
• Interview personnel
• Observe evidence

This raises two important questions:

• How can we conduct effective remote assessments that will produce the same results as if we were onsite?
• How can we help clients meet compliance reporting deadlines, especially as they are making business changes in response to their crisis recovery / business resumption plans?

The good news is that we can complete a PCI assessment remotely. Let's look at each of those actions required to perform assessments that were referenced earlier, and explore how they can be addressed in a remote model:

1. Examine Documentation

Examining documentation is very simple to do remotely, and in fact most of this is done offsite today. Clients securely provide their documentation, and the QSA can easily review it, request additional information or revisions, and then document the ROC.

2. Interview Personnel 

While nothing can replace being in the room with your clients, you can effectively interview personnel, remotely. To establish some rapport, and to make the experience personal turn your computer's web camera on (you know, those things we generally block with camera covers, bits of paper, tape, or anything else we can find that can do the trick…) and have customers do the same for interviews and shoulder-surfing sessions. Make the environment as close to being in the room with your clients, as possible. Then ask away!

3. Observance

There are several different types of activities where observance is key.  This is undeniable the hardest requirement to deliver remotely. Let's look at three different scenarios:

Over-the-shoulder sessions:

Now that we have our cameras on and can see people's smiling faces, we can conduct an over-the-shoulder session.  Using available screen-sharing technologies that allow us to share screens, such as GoToMeeting, Teams, Zoom, WebEx, we can take video recordings or snapshots of what is being displayed. Follow these general rules of thumb:

1. Use your laptop cameras to set-up videos 
2. Use screen sharing technology with the capability to take screenshots and/or record the session.
3. Once you are all set with the client on the phone with video and screen shares working, you can then start providing the client the specific sampling information be it a server name, a firewall, access list, etc. (*Note that you should not provide a list of the devices being sampled ahead of this meeting.)
4. As you are taking screenshots or video of the sessions, capture the subsequent commands run as well as the results of the commands.

Site Walkthroughs (data centers and stores):

The walkthrough of the data center and store is a bit harder to do remotely, but not impossible. To validate your client's compliance, start by trying to find qualified, local resources to perform the walkthroughs on your behalf. If that isn't an option, work with onsite resources using a Skype or FaceTime session where they walk you through the facility to show you all the things you would normally look for while doing a site assessment.

The onsite personnel can walk you through their facility showing you all ingress and egress points. You can ask them to stop and try to access systems in the data center, and they can also let you talk with people you determine should be interviewed along the way. You will be able to see visitor procedures, badges, wireless access points, and cameras--including camera retention. For stores, you can also be taken to see the computer room, watch the pin pad inspections, and interview the appropriate personnel in the stores about their various processes.

Call Center Walkthroughs:

Call center walkthroughs can be a challenge. Some of our clients have implemented a work-at-home policy for their call centers, and others have not yet taken these measures. Below we discuss two different scenarios – one where the call center is still operational onsite, and one where the call center is now using at-home workers. We must note here that an onsite visit at a call center is absolutely the preference; however, with the quarantines in place, we have discussed an alternate method of performing these reviews where we believe you will get similar results, even if not ideal.

On-site Call Center Walkthroughs:

For call centers still working onsite, you can perform a virtual walkthrough with onsite staff. Through a virtual session, you can see their desktops, look at the configurations/settings on their workstations, see how they interact with the applications where they enter credit card data, and you can also ask to interview people as you are guided through the facility to discuss their business processes.

At-Home Call Centers (where business returns to normal onsite operations once the pandemic has passed)

For call centers that have been moved to at-home workers; assessing them is more challenging, however it is an excellent test of a company’s security posture while having implemented their business resumption plan. A QSA should expect to examine the following:

• Look at the organization’s risk assessment. Did the organization meet to discuss the potential risk of sending workers home? What did they consider? Did they determine ways to mitigate the risk?
• Did the organization put together revised policies and procedures surrounding this work-at-home situation? Examine them and determine whether PCI compliance can still be met based on the changes.
• Interview several of the at-home workers to ensure they are following the new policies and procedures.

Communicating with the PCI Council

Under normal operating conditions, the PCI Council expects that QSAs are on-site to conduct PCI assessments. Due to this, it is imperative to create a written justification within the Report on Compliance that addresses why you weren’t able to go onsite, and why you believe the same determinations would have been had you been onsite. 

**Note that the PCI Council has a FAQ response (Article Number 1455) that addresses performing remote assessments.

While we believe that it’s actually much better to be in the room with the people you are interviewing and observing, based on today’s technologies and with the right planning, assessments can successfully be performed remotely, obtaining almost the same results as if you were onsite.

Be safe out there, stay well, and continue to be mindful of your presence on others during this trying time.

For questions on setting up your first Remote PCI Assessment, contact us today.