Ben Rothke joins his longtime coauthor David Mundhenk, CISSP, CISA, PCI QSA, PCIP, Principal Security Consultant, at the Herjavec Group, for this article.
Travel the world
With the war raging in Viet Nam, the US Army was having trouble getting enough recruits. The traditional recruitment approaches simply were not working.
The Army decided to go to Madison Avenue, and the image below was from a US Army advertising campaign in the 1970s which tried to get men to enlist. The approach they used was that it was worth enlisting as you would be able to live in and visit exciting and interesting places.
For technology consultants in general, and those involved with PCI assessments specifically, there is often travel involved. But unlike the promise of the Army, it is not always to exciting places. While there are PCI projects in Maui, Vail, and other exotic locations, our destinations were often entirely off the beaten path.
Being on-site for the PCI DSS assessment
And that begs the questions, with some license to William Shakespeare, which is: to be onsite for a PCI assessment, or not to be onsite for a PCI assessment, that is the question.
More specifically: how much, if any, of a PCI assessment project can be done remotely. And how much of it needs to be done at the client’s physical location and/or data centers.
As we are members of the PCI Dream Team, along with Art “Coop” Cooper and Jeff Hall, we are very often asked this question: “With respect to completing the PCI DSS report on compliance assessments, is there a PCI Security Standards Council (SSC) mandated requirement to be onsite with the client to complete the work?”
It is indeed an interesting question since it has recently been reported that some Qualified Security Assessor (QSA) firms are offering to complete PCI DSS assessments at measurably discounted rates.
For example, here is a recent email Ben got where a QSA-certified firm said they could offer QSA services at 30% less. For a firm to say they are 1/3 less than the competition is a rather gutsy claim. Just how do they do it?
They didn’t explain how they can be so low in the email, nor did they in about five follow-up emails asking how they can be 1/3 less than other firms. After getting them on the phone and reading between the lines, it became quite clear — their QSA services are done remotely. They save expensive travel costs as their consultants are in India.
Firms like this one are far from being the exception. They can offer such measurable discounts by merely doing all of the assessment work remotely. To that point, what is the position of the PCI SSC on remote PCI DSS assessment work?
The PCI SSC QSA Program Guide makes several general references to an expectation that some finite amount of time being spent onsite with clients during PCI DSS assessments. Section 5.3 of the Program Guide notes that QSA Companies and their QSA Employees’ responsibilities in connection with the Program include being onsite at the assessed entity during the PCI DSS assessment. But there is no fixed measure to how much time much be spent onsite.
There are additional similar recommendations made as part of the annual recertification training that all QSAs in good standing must successfully complete. In addition, the PCI Security Standards Council (SSC) has offered the following guidance with respect to this topic in FAQ 1455, to the question of: Does a QSA need to be onsite at the client’s premises for all aspects of a PCI DSS assessment?
The response is that the “PCI SSC intends for onsite testing to be the norm, with the majority of PCI DSS assessment testing completed at the physical client location. Though the entire PCI DSS Assessment may not require being onsite, required validation methods like ‘observe’ — meaning the assessor watches an action or views something in the environment — are difficult to complete remotely.
At first read, it appears that the PCI SSC position on this topic is very straightforward. Let us now, however, consider a new and serious complicating factor; the current COVID-19 Coronavirus outbreak.
In early March, the PCI SSC wrote that they are aware of the unprecedented situation caused by the spread of COVID-19. As circumstances evolve, questions have arisen surrounding a variety of issues, including the impact on assessments and the trainings. The SSC is actively monitoring the developments and collaborating with their stakeholders and community on response and needed guidance.
To that end, on March 10, Troy Leach, SVP, Engagement Officer for Market Intelligence and Stakeholder Engagement at the PCI SSC, wrote in his blog post on the question of does an assessor needs to be onsite. He wrote that the SSC recognizes there may be exceptional circumstances that temporarily prevent an assessor from being able to travel to an onsite location to conduct an assessment, such as travel advisories or restrictions relating to Coronavirus.
Leach also wrote that in the event an onsite assessment is not currently possible due to such circumstances, assessors should follow the guidance from the PCI SSC website.
The critical point is that when performing a remote assessment, assessors must ensure that any validation they perform remotely provides the necessary level of assurance that the controls are correctly implemented, and requirements are met before they sign off that a requirement is “in place” and complete a report on compliance.
To be onsite or not to be onsite
So, the bottom line, do you need to be onsite? We will opine on the current Coronavirus situation, traditional assessments, a fully cloud-based environment, and when the remote site is small.
While the exception sometimes proves the rule, that nature of the Coronavirus crisis has undoubtedly shown that any sort of aggressive requirement to be onsite is out of place. With significant and onerous travel restrictions in place, it is unreasonable to expect a QSA to travel to a remote site and risk being stranded there, placed in quarantine, or other situations that are out of their control.
We are using the term remote site here to be a client location requiring air travel to a location where it is not reasonably feasible to travel by car. So when Coronavirus is in effect, it is perfectly acceptable to do everything remotely, unless the site is easily accessible by car.
As to travel by car — this assumes that there are no local health issues. While there may be 12 general PCI requirements — the requirement that your health comes first should be eminently clear.
The function of being onsite is mean to give the QSA a better understanding of the client environment, have more personal discussions with client staff, and the like.
A traditional assessment should have a reasonable amount of onsite work. With that, you will not find an exact definition of what reasonable is on the PCI web site, as it is impossible to define. But a QSA firm should be able to defend its position on the amount of time its assessors spend onsite. If you can judiciously define that amount, you should be fine.
QSA’s should avoid going onsite only when there are compelling reasons. Avoiding onsite visits to simply lower costs is an absolutely unacceptable approach to PCI compliance and should be shunned. While there are firms that use complete off-site work as a competitive advantage, the PCI SSC should come down hard on such firms. And the only way to do that is to suspend them.
Fully cloud-based environments
It’s 2020, and there are plenty of firms that have fully embraced the cloud, such that they have no data centers and no hardware owned by them. They often use world-class cloud-providers such as Amazon Web Service (AWS), Google Cloud Platform (GCP), and others.
If you are assessing such a firm, there is no valid reason to travel to their offices. If you happen to be in the same geographic area, say within an hour’s car drive, it can be easier to perform the interviews in their offices, if that can be done.
If the firm happens to be one such that there is no office and all employees work remotely, it certainly would be improper to go to the employee’s homes or workspaces.
As to a data center walkthrough of these large cloud providers, not only is it not necessary to visit these data centers, AWS & GCP will not let you in. In fact, they don’t even tell you their exact location.
When you do not need to go onsite
There are indeed other situations where going onsite may not be justified.
If you have to travel internationally, for a small client, to do a 30-minute walkthrough of their data center, that could be a compelling reason not to go. In that case, you could accomplish much of the requirement 9 tasks via video chat and voice programs such as Skype.
What is comes down to is that FAQ 1455 notes that it is up to the QSA to defend why they were not onsite. If you do not go onsite, you need compelling business and technical reasons why you did not go. Cost alone should not be the determining factor.
As to the question to be onsite for a PCI assessment, or not to be onsite for a PCI assessment — when it comes to a full-cloud environment or where you are affected by Corona, they can be done remotely.
For regular assessments and times of non-pandemic, QSA firms should document in their
Quality Assurance Manual the requirements for their assessors to be onsite. They should also be able to defend those decisions to the PCI SSC. If they can do that, all is well.