Impact of COVID-19 on PCI DSS compliance

Following recent developments in the spread of COVID-19, many companies and organizations are facing exceptional logistic challenges that can go as far as invoking their business continuity plan.

 
Such measures can potentially cause security and compliance elements to be put on hold for reasons of understaffing, the need to stabilize the IT infrastructure, or logistical difficulties related to the lack of mobility of key personnel.

 
PCI SSC issued a memo on March 12, 2020 regarding remote audits as part of a PCI DSS compliance assessment (see article here). The council stated that an assessment which would normally require to be on site, can exceptionally be conducted remotely if the QSA takes the necessary measures to ensure the verification made remotely is done with a sufficient level of assurance to confirm that the controls are in place. This could mean, for example, that the QSA will be doing additional checks to ensure that the people interviewed and the systems observed are the same as if the QSA had visited the site.

 
In the same article, the council announced that it is well aware these exceptional circumstances could delay the completion of compliance processes. The council suggests companies and organizations contact their acquirer or the applicable payment brands to confirm if the present situation is likely to impact their compliance program.

 
For any situation that could negatively affect the level of risk, we recommend that you document all changes and carry out a risk analysis before reducing or suspending a process or a control related to security or compliance. Before any change, try by all means to limit the risks for your environment and to your compliance against standards such as PCI DSS.

 
If, for example, the installation of patches has to be suspended to limit the risk of disrupting an essential service, increased monitoring could be implemented to reduce the risk associated with malicious activities. Also, if an organization does not have enough licences for its multi-factor authentication system to allow all of its employees to connect remotely, user accounts with minimum privileges could be set up with single-factor authentication. However, a password policy with a high level of complexity and the inability to log in outside of office hours should be enforced. Again, make sure that any reduction in controls during this exceptional period is fully documented in preparation for your next audit. Your next assessment documentation will have to reflect all changes and compensating controls that have been made and put in place.

 
If you need advice on setting up exceptional measures that would not negatively affect security or conformity, do not hesitate to contact us.

 
We wish you all health and safety in these turbulent times.