PCI SSC permits remote assessments during COVID-19 disruptions

The PCI Security Standards Council published guidance on 18 March 2020 permitting remote assessments under certain conditions during the COVID-19 pandemic, fundamentally changing QSA engagement models for PCI DSS compliance validation.

Remote Assessment Framework

The guidance established that remote assessments are permissible when in-person assessments are not feasible due to travel restrictions, health concerns, or government mandates. QSAs must document the specific circumstances preventing on-site presence and obtain acquirer or payment brand approval before proceeding with remote validation.

Technology requirements specify that video conferencing must enable real-time observation of physical security controls, network architecture reviews, and interviews with key personnel. Screen sharing capabilities are required for configuration reviews, log analysis, and policy document examination. All remote sessions must be conducted over encrypted connections.

Evidence collection standards require QSAs to obtain additional documentation to compensate for inability to physically inspect controls. This includes timestamped photographs of physical security measures, video walkthroughs of data center facilities, and expanded sampling of system configurations to increase confidence in findings.

Control Categories Requiring Special Consideration

Physical security controls under Requirement 9 present the greatest challenge for remote assessment. QSAs must obtain video evidence of entry controls, visitor logs, media destruction processes, and POS device security. If you are affected, prepare detailed facility tours via video conference and provide supplemental photographic documentation.

Network segmentation validation requires screen sharing of network diagrams, firewall configurations, and penetration testing results. QSAs should request additional evidence such as packet captures, VLAN configurations, and routing tables to confirm segmentation effectiveness without physical network access.

Interview processes must be adapted for video conferencing, with QSAs ensuring appropriate personnel are available at scheduled times. If you are affected, prepare subject matter experts for system administration, security operations, and policy governance interviews, with screen sharing capabilities for real-time demonstration of procedures.

Documentation Requirements

Assessment methodology documentation must detail the remote assessment approach, including technologies used, evidence collection methods, and any limitations encountered. QSAs must explicitly document how each requirement was validated remotely and what compensating evidence was obtained.

Sampling adjustments may be necessary to achieve sufficient confidence in control effectiveness. The guidance permits expanded sample sizes for remote assessments, with QSAs documenting the rationale for sampling decisions and any increased scrutiny applied to high-risk areas.

Exception documentation is required for any requirements that could not be adequately validated remotely. QSAs must identify these limitations in assessment reports and may need to schedule follow-up on-site validation once travel restrictions are lifted.

Ongoing Implications

While initially issued as pandemic response guidance, the remote assessment framework has had lasting impacts on PCI DSS validation. Many organizations and QSAs have incorporated hybrid assessment models combining remote and on-site components, reducing travel costs while maintaining assessment rigor.

The Council then updated guidance to address permanent remote assessment scenarios, establishing baseline requirements for technology platforms, assessor qualifications for remote work, and improved documentation standards that have become standard practice in the industry.

If you are affected, prepare for remote assessment capabilities as a standard component of PCI DSS compliance programs, investing in video conferencing infrastructure, evidence collection workflows, and documentation practices that support both remote and on-site validation methodologies.

Technology Platform Requirements

Video conferencing standards require enterprise-grade platforms with end-to-end encryption. QSAs must verify platform security before conducting assessments, and you should avoid consumer-grade tools that lack audit logging or session encryption. Platforms must support screen sharing, file transfer, and recording capabilities for evidence preservation.

Secure file sharing mechanisms replace physical document exchange. If you are affected, establish encrypted portals for uploading policies, procedures, and configuration evidence. Document retention policies must account for assessment artifacts stored on third-party platforms, with clear data deletion procedures post-assessment.

Network access considerations arise when QSAs require remote access to validate configurations. Read-only access through jump hosts or screen sharing provides safer alternatives to direct network access. If you are affected, document all remote access grants and revoke permissions promptly after assessment completion.

Preparation Checklist

Organizations approaching remote assessments should compile full documentation packages in advance. Physical security evidence requires recent photographs with timestamps, facility tour videos, and visitor log samples. Technical evidence includes configuration exports, scan reports, and architecture diagrams that can be reviewed during screen sharing sessions.

Schedule personnel availability across time zones, ensuring that interviews can proceed without delays. Prepare subject matter experts for video-based interviews and equip them with screen sharing capabilities for demonstrating procedures and configurations in real-time.

Test technology platforms before assessment begins. Conduct dry runs of video conferencing, screen sharing, and file upload workflows to identify and resolve technical issues. Ensure backup communication channels exist for connectivity failures during critical assessment sessions.

When Assessors Cannot Be On-Site

PCI assessments traditionally required assessors to physically visit your facilities, observe controls in action, and interview staff in person. The pandemic forced everyone to rethink that model. Can you still get meaningful assurance when nobody's shaking hands?

The answer, it turns out, is yes—with careful planning. Remote assessments can work, but they require more preparation and clearer evidence documentation than traditional on-site visits.

Making Remote Assessments Work

The key to successful remote assessments is preparation. Have your evidence organized and accessible. Set up secure screen sharing for system demonstrations. Schedule extra time for video calls—remote communication takes longer than in-person.

Think of it as a chance to improve your overall compliance documentation. The evidence packages you create for remote assessments will serve you well for years to come.

Evidence Documentation Excellence

Remote assessments demand better evidence than on-site visits. When an assessor cannot walk through your data center or observe a process in person, you need documentation that tells the complete story.

Screenshots, configuration exports, policy documents with approval signatures, training records—compile these actively. The better your evidence package, the smoother your assessment.

Technology for Remote Collaboration

Invest in secure video conferencing and screen sharing capabilities. Assessors need to see your systems in action, which means secure, reliable connections. Test your collaboration tools before assessment day.

Consider recording key sessions (with assessor agreement) to create reference material. Some organizations find these recordings valuable for training and audit preparation.

The Future of Assessments

Remote assessment capabilities are not just pandemic workarounds—they are the future. Even when in-person visits are possible, hybrid approaches that combine remote evidence review with targeted on-site activities can be more efficient for everyone involved.

Build the capabilities now. They'll serve you well regardless of what circumstances require.

Assessor Relationships

Choose your QSA wisely for remote assessments. Assessors experienced with remote evaluations understand the unique challenges and have developed effective techniques. Ask about their remote assessment experience before engagement.

Good communication becomes even more important when you cannot read body language or have impromptu conversations. Establish clear channels and regular check-ins throughout the assessment.

Post-Assessment Review

After your remote assessment, conduct an internal retrospective. What worked well? What created friction? Use these insights to improve your next assessment, whether remote or in-person.

Share feedback with your assessor too. The entire industry is learning how to do remote assessments effectively, and constructive feedback helps everyone improve.

More on this topic

Further reading from our research library.

Compliance · Credibility 73/100 · March 17, 2020

HHS OCR eases HIPAA enforcement for telehealth

OCR announced it will not penalize healthcare providers for using non-HIPAA-compliant telehealth platforms during COVID-19. This is a temporary enforcement discretion, not a rule change—but it is letting doctors use Zoom…

Compliance · Credibility 73/100 · March 19, 2020

EDPB outlines GDPR rules for COVID-19 data processing

The European Data Protection Board issued a statement confirming GDPR permits processing health and location data for pandemic response under specific legal bases, while stressing necessity, proportionality, and…

Compliance · Credibility 86/100 · March 16, 2020

FinCEN outlines BSA expectations during COVID-19 disruptions

FinCEN issued a COVID-19 statement on 16 March 2020 clarifying that Bank Secrecy Act obligations remain in effect, encouraging institutions to maintain AML programs, notify regulators of any delays, and report…

Compliance · Credibility 73/100 · March 15, 2020

HHS issues limited HIPAA waiver during COVID-19 emergency

HHS waived certain HIPAA penalties for good-faith telehealth during COVID-19. Healthcare providers can use FaceTime, Skype, and similar platforms without the usual business associate agreement requirements.

Compliance · Credibility 91/100 · March 9, 2020

FINRA Regulatory Notice 20-08 on pandemic business continuity

FINRA issued Regulatory Notice 20-08 outlining expectations for member firms’ pandemic business continuity plans, supervisory controls, and remote work supervision during COVID-19. Broker-dealers must document how they…

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

March 18, 2020

Coverage pillar

Compliance

Source credibility

91/100 — high confidence

Topics

PCI DSS · Remote Assessment · COVID-19

Sources cited

3 sources (pcisecuritystandards.org)

Reading time

6 min

Source material

1. PCI SSC Remote Assessment — PCI SSC
2. PCI DSS — PCI SSC
3. PCI QSA Requirements — PCI SSC