PCI SSC permits remote assessments during COVID-19 disruptions
The PCI Security Standards Council issued guidance on conducting PCI DSS assessments remotely during the pandemic, outlining conditions for evidence collection and compensating controls when onsite reviews are impossible.
Executive briefing: On , the PCI Security Standards Council (PCI SSC) published guidance for remote PCI DSS assessments in response to COVID-19 travel and site-access restrictions. The council affirmed QSAs can perform evaluations remotely when evidence (screenshares, photos, video walkthroughs) sufficiently demonstrates control operation, and stressed documenting any temporary compensating controls.
Operator action: Coordinate with your QSA to determine which testing steps can be executed remotely, ensure logging, configuration exports, and video walkthroughs are available, and document interim controls for items requiring onsite validation. Update ROC/SAQ narratives to capture COVID-19 constraints and schedule onsite follow-up for physical inspections once restrictions lift.
Sources: PCI SSC’s blog post details acceptable evidence types, documentation expectations, and when additional validation is needed.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.