Guidelines Provide Best Practices to Support the Appropriate Use of Remote Assessments for PCI SSC Standards
The PCI Security Standards Council (PCI SSC) has issued guidelines to support principles and procedures outlining the use of remote assessments. Built upon guidance provided throughout the course of the pandemic, the “PCI SSC Remote Assessment Guidelines and Procedures” was developed to meet the changing needs of the payments industry.
Assessors play a critical role in ensuring payment data is secure by evaluating how organizations secure payment data. While onsite assessments are always expected, PCI SSC recognizes there are legitimate circumstances that could prevent an assessor from completing the assessment activities onsite. In these scenarios, assessors and entities will be able to refer to the procedures and guidelines outlined in this document.
“The Council’s primary goal has always been to help organizations protect payment data,” say Emma Sutcliffe, SVP, Standards Officer. “We have collaborated with the payments industry and have issued timely guidance to help organizations maintain and monitor the effectiveness of their security controls throughout the course of the global pandemic. The Remote Assessment Guidelines and Procedures builds upon previously published guidance on conducting remote assessments in a secure manner.”
Remote Assessment Guidelines and Procedures can be found in the PCI SSC Document Library. Guidelines include:
- Feasibility considerations for the use of remote assessments.
- Steps to properly plan and prepare for the remote assessment.
- Detailed guidelines and best practices on the use of remote testing methods for different types of testing activities.
- Requirements and expectations for PCI SSC assessors regarding the use of remote assessment activities.
- Report Template Addendum to document the use of remote assessment methods.
It is important to note the PCI SSC does not enforce compliance with its standards. All questions about how completion of an assessment may impact compliance to a payment brand compliance program should be addressed to the entity’s acquirer or the applicable payment brands.