Socially Distant PCI DSS Assessments

In recent months, various levels of government have issued changing guidelines regarding the gathering of personnel and remote work.  In their own efforts to add clarity, the PCI SSC has also published a few different blogs and guidelines for when remote work is necessary, including the Remote Assessments and the Coronavirus blog that focuses on conducting remote PCI Assessments.

If your organization is about to start a PCI assessment or has already, you have a difficult obstacle ahead, as the PCI SSC requires at least some portion of the assessment to be conducted onsite.  Unfortunately, with recent changes in government directives and travel bans, this may not be an option for the next several months, and as such, organizations will need to work with their QSA Company (QSAC) to determine the best course of action for ensuring the integrity of the assessment.  Because every organization has different needs, there will need to be a customized validation plan and strategy developed to ensure all PCI DSS requirements can be effectively tested. 

However, there are many organizations that already have no physical presence outside of a third-party colocation or cloud hosting provider, and they, along with those that are heavily cloud-based, will likely have an easier time at adjusting the onsite portion of the assessment to all remote meetings.  In these situations, the service provider's ROC can be legitimately used to meet physical security requirements, as can the additional guidance provided by the PCI SSC to justify all remote work sessions during this pandemic.  However, for the other organizations in traditional retail, cloud hosting, or colocation services that implement their own physical security controls, this becomes more difficult, though testing all requirements is still entirely possible. 

Below are a few of the strategies Schellman has implemented with these types of clients to ensure the integrity of the assessment is maintained.

• If physical presence is absolutely necessary, limit the number of personnel sent onsite for the review.

• At the location, ensure all auditor and auditee personnel implement the appropriate social distancing recommended by the local, state and federal government.

• When possible, utilize local QSAs to conduct the necessary onsite assessments so as to avoid having to travel via air.  (NOTE: This has proved useful for Schellman because we have multiple QSAs spread across the country but may be more difficult for smaller QSACs.)

• Conduct a live video tour of the facility via a teleworking tool in place of an in-person tour.
  (Pro Tip: If the remote video tour is of a data center, ensure the onsite representative has a headset to reduce noise and adequate internet access throughout the tour to ensure connectivity is not an issue.)

• Increase the sample size of various physical security control mechanisms such as CCTV feeds, badge access logs, visitor logs, etc.

At Schellman, we have implemented several of these options in almost all cases where an onsite assessment could not be conducted.

Not only are PCI assessments having to be conducted remotely, those assessing and being assessed are also having to work remotely themselves.  As a result, the PCI SSC posted a new blog on March 23, 2020 entitled Protecting Payments While Working Remotely, which focuses on securing cardholder data (CHD) when personnel are working remotely.  Great responsibility is already placed on companies to ensure that their customers’ data is secure, and as employees are having to transition to work remotely, it is impossible to emphasize enough how important it is to educate them on their responsibilities and proper security awareness in their new workspace.  One of the largest risks to an organization’s data security is human error.  Even with the strictest security measures, human error is not 100% preventable; however, it is still the organization’s responsibility to take every possible precaution.

In addition, it is also the responsibility of the company to create and update policies and processes regarding remote work and acceptable use guidelines.  Some of these best practices are also tested during a PCI assessment, so such a measure not only protects the company’s security posture, but also helps to ensure that PCI requirements are in place and being enforced.  Items to include in remote work policies and procedures could include:

• Requiring the use of company-approved hardware and software. 

  • Any exceptions to this rule should be requested in writing, approved by management, and follow the normal change management process.

• Considering the use of a Mobile Device Management (MDM) solution to protect company-owned devices, laptops and company phones, as well as any bring your own devices (BYOD), employee-owned phones or devices. 

  • An MDM solution allows the company the ability to locate a missing device, lock it remotely, or perform a system wipe if necessary. 

• Maintaining up-to-date security patches, enabled firewalls, and anti-virus software on devices used by employees.  Ensure the system is locked down so the end-user cannot alter or terminate any of the enabled security features.  

• Implementing the use of multi-factor authentication as an additional security measure in the case of a lost or stolen device. 

• Ensuring that logging and monitoring rules extend to the devices being used remotely and that the logs and any resulting alerts are investigated and documented.

• Investing in a data loss prevention (DLP) program to utilize multiple levels of protection and create a greater defense-in-breadth. 

Companies may be able to limit their security risk during these extraordinary circumstances by ensuring employees receive proper security training, implementing multi-level protection programs, and enforcing the principle of least privilege.  It is not enough to continue to rely on security programs created in the past.  Technology evolves and as it does, so do the attempts of malicious actors trying to breach a company’s security defenses.  Together, we are all facing new and unfamiliar territory both personally and professionally, and the situation seems to change daily.  We must continue to change with it and work as a community, share best practices, and support each other throughout these uncertain times.  If we do so, we all win in the end. 

About the Authors:

Matthew Crane is a Senior Associate with Schellman & Company, LLC. Prior to joining Schellman in July of 2017, Matt worked as a Security Consultant Team Lead, specializing in PCI and NIST CSF assessments. As a Senior Associate with Schellman, Matt is focused primarily on PCI-DSS Compliance for organizations across various industries.

Bethany Caputo is a Senior Associate with Schellman & Company, LLC. Prior to joining Schellman, Bethany worked as an Information Security Compliance Analyst, specializing in Payment Card Industry Data Security Standard (PCI DSS) and Third Party Vendor compliance. As a Senior Associate, Bethany Caputo is focused primarily on PCI DSS reports.

About the Author

Schellman is a leading global provider of attestation, compliance, and certification services. Operating as an alternative practice structure as Schellman & Company, LLC, a top 100 CPA firm, and Schellman Compliance, LLC, a globally accredited compliance assessment firm, we are able to offer clients services as a CPA firm, an ISO Certification Body, a PCI Qualified Security Assessor Company, a HITRUST assessor, a FedRAMP 3PAO, and as one of the first CMMC Authorized C3PAOs. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Schellman's approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives using a single third-party assessor. For more information, please visit schellman.com.

More Content by Schellman Compliance