Assessing Your PCI Compliance During COVID-19

Protecting consumers’ personal and financial data is a top priority for the entire financial industry, from the credit card networks to the banks to the payment processors, all the way to the merchants who actually accept the payments. Even the consumers are expected to play their own part in protecting their own information. That means that companies (i.e. retail merchants) that are involved in credit card payments — whether you store, process, or transmit credit card data — have to be PCI DSS compliant as a way to protect against cyber-attacks and identity theft.

The Payment Card Industry Data Security Standard (PCI DSS) sets the standards for security systems and controls that everyone in the financial technology chain is supposed to follow. It was created by(what else?) the PCI Security Council.

Credit card reader. Do your payment systems meet PCI compliance?The PCI Security Council was formed in 2006 by the Big Five global credit card providers, American Express, Discover, JCB International, MasterCard and Visa. The five share equally in the creation of the council’s standards and executions.

To ensure they are PCI DSS compliant, merchants and payment processors have their own security measures and compliance checked by an independent PCI Qualified Security Assessor (QSA). The QSA checks a business, a processor, or an acquiring bank to make sure proper security controls are in place and operational.

As you might expect, most of these in-person visits had to be canceled, even though PCI DSS compliance and monitoring still had to take place.

Greensheet.com recently wondered whether these PCI DSS compliance assessments could be done properly during the pandemic or if they would have to be done remotely.

Ordinarily, most aspects of PCI DSS assessments occur on-site at data centers, offices, retail stores, etc. However, with lockdown and national and international travel restrictions hindering movement, on-site assessment may not be possible. This has led many businesses to believe their QSA cannot complete their annual assessment and caused some third-party service providers to claim they cannot provide their customers an annual Attestation of Compliance due to COVID-19’s rendering on-site elements of their assessment impossible.

This isn’t the case. Just as businesses have adapted to new ways of working under COVID-19, so too has the PCI Security Standards Council (PCI SSC) updated guidance for on-site assessments.

Of course, even before the pandemic, on-site assessment and first-person observation was not always possible or practical. For example, how easy and convenient is it to check the gas stations in Ada, Minnesota, 250 miles NW of Minneapolis?

While assessments usually happen in person for larger organizations, like a major retail outlet or call center, the PCI SSC also recognized in 2017 that meeting some of the compliance requirements could be done remotely. The checks included physical site inspections, interviews, and over-the-shoulder observations, complete with demonstrations to the QSA.

Of course, most of this can be done remotely via video chat and photos, although the over-the-shoulder observations may be a little problematic.

The SSC outlined certain scenarios where on-site assessments were “unreasonable and unnecessary,” which meant remote assessments were justified. However, says Greensheet.com. the QSA had to be able to defend the remote performance of any testing procedures, and that those remote assessments were “expected to be the exception.”

These days, it seems more like onsite is the exception and not the rule. To that end, the PCI SSC updated their remote assessment guidance, saying that assessors and merchants could be at risk of infection during in-person assessments. Additionally, many cities, states, and countries have closed their borders to travel, either banning travelers completely, banning non-essential travel, or requiring 14-day quarantines for arriving travelers.

Now that these remote assessments have been (mostly) successful, businesses may want to do them again next year as a way to save on travel and expenses. But that is only allowed where a “defensible justification” for doing remote testing still exists. Such as borders being closed or the merchant being in a far-off remote location, like Red Lake, Ontario.

So don’t expect remote testing to remain in place once the pandemic is over and we return to the life we had before the pandemic. Greensheet.com says the PCI SSC is not expecting to change their position on on-site assessments, which means we’ll likely go back to in-person assessments in 2021. However, they do understand that people were able to complete remote assessments during the pandemic, and no one seemed to have a problem.

Does that mean we’ll see more companies asking for, and getting, remote PCI assessments rather than having someone hovering over them? When we learned that a lot of jobs could be done remotely with an iPhone and a wifi connection, that changed the business landscape dramatically. Does that mean the PCI SSC will have the same realizations in 2021?

Do you need help with PCI compliance? Do you want to help protect yourself from hackers and identity thieves? Corepay can help you. To learn more, please visit our website or call us at (866) 987-1969.

Photo credit: Gadini (Pixabay.com, Creative Commons 0)