Recent events have changed the world we typically wake up to, and it is continuing to change. The ways we interact, the ways we seek necessities, and the ways we conduct business, have all shifted in a very short period of time.
For some retailers, business is continuing as consumers shift their shopping habits online. What doesn't seem likely to change however, is the responsibility that retailers have to protect the consumers' personal information.
As somebody who performs PCI assessments for our clients, our lives normally include the following activities:
Today's reality changed all of that. We now have to think, “If I do this, could someone else fall ill due to their contact with me?” The focus on caring for our health, and even more importantly, making sure we don’t harm someone else has impacted how we do our jobs. We need to consider others with compromised immune systems, or folks who are older and more at risk; and this motivates us to make different choices.
When we perform PCI assessments, we strongly prefer to be on-site with our clients for a certain period of time, but under these unique circumstances; we are all best served by performing this work virtually.
The question for us isn't whether the technology will support remote delivery, because it will. The bigger question is how a QSA can deliver a remote assessment given the requirements we have to do the following:
This raises two important questions:
The good news is that we can complete a PCI assessment remotely. Let's look at each of those actions required to perform assessments that were referenced earlier, and explore how they can be addressed in a remote model:
Examining documentation is very simple to do remotely, and in fact most of this is done offsite today. Clients securely provide their documentation, and the QSA can easily review it, request additional information or revisions, and then document the ROC.
While nothing can replace being in the room with your clients, you can effectively interview personnel, remotely. To establish some rapport, and to make the experience personal turn your computer's web camera on (you know, those things we generally block with camera covers, bits of paper, tape, or anything else we can find that can do the trick…) and have customers do the same for interviews and shoulder-surfing sessions. Make the environment as close to being in the room with your clients, as possible. Then ask away!
There are several different types of activities where observance is key. This is undeniable the hardest requirement to deliver remotely. Let's look at three different scenarios:
Now that we have our cameras on and can see people's smiling faces, we can conduct an over-the-shoulder session. Using available screen-sharing technologies that allow us to share screens, such as GoToMeeting, Teams, Zoom, WebEx, we can take video recordings or snapshots of what is being displayed. Follow these general rules of thumb:
The walkthrough of the data center and store is a bit harder to do remotely, but not impossible. To validate your client's compliance, start by trying to find qualified, local resources to perform the walkthroughs on your behalf. If that isn't an option, work with onsite resources using a Skype or FaceTime session where they walk you through the facility to show you all the things you would normally look for while doing a site assessment.
The onsite personnel can walk you through their facility showing you all ingress and egress points. You can ask them to stop and try to access systems in the data center, and they can also let you talk with people you determine should be interviewed along the way. You will be able to see visitor procedures, badges, wireless access points, and cameras--including camera retention. For stores, you can also be taken to see the computer room, watch the pin pad inspections, and interview the appropriate personnel in the stores about their various processes.
Call center walkthroughs can be a challenge. Some of our clients have implemented a work-at-home policy for their call centers, and others have not yet taken these measures. Below we discuss two different scenarios – one where the call center is still operational onsite, and one where the call center is now using at-home workers. We must note here that an onsite visit at a call center is absolutely the preference; however, with the quarantines in place, we have discussed an alternate method of performing these reviews where we believe you will get similar results, even if not ideal.
For call centers still working onsite, you can perform a virtual walkthrough with onsite staff. Through a virtual session, you can see their desktops, look at the configurations/settings on their workstations, see how they interact with the applications where they enter credit card data, and you can also ask to interview people as you are guided through the facility to discuss their business processes.
For call centers that have been moved to at-home workers; assessing them is more challenging, however it is an excellent test of a company’s security posture while having implemented their business resumption plan. A QSA should expect to examine the following:
Under normal operating conditions, the PCI Council expects that QSAs are on-site to conduct PCI assessments. Due to this, it is imperative to create a written justification within the Report on Compliance that addresses why you weren’t able to go onsite, and why you believe the same determinations would have been had you been onsite.
**Note that the PCI Council has a FAQ response (Article Number 1455) that addresses performing remote assessments.
While we believe that it’s actually much better to be in the room with the people you are interviewing and observing, based on today’s technologies and with the right planning, assessments can successfully be performed remotely, obtaining almost the same results as if you were onsite.
Be safe out there, stay well, and continue to be mindful of your presence on others during this trying time.
For questions on setting up your first Remote PCI Assessment, contact us today.