Press Release

PCI Security Standards Council Issues Remote Assessment Guidelines

Guidelines Provide Best Practices to Support Remote Assessments When Onsite Testing Is Not Possible

WAKEFIELD, Mass., 24 September 2021 — The PCI Security Standards Council (PCI SSC) has issued guidelines to support principles and procedures outlining the use of remote assessments. Built upon guidance provided throughout the course of the pandemic, the “PCI SSC Remote Assessment Guidelines and Procedures” was developed to meet the changing needs of the payments industry.

Assessors play a critical role in ensuring payment data is secure by evaluating how organizations secure payment data. While onsite assessments are always expected, PCI SSC recognizes there are legitimate circumstances that could prevent an assessor from completing the assessment activities onsite. In these scenarios, assessors and entities will be able to refer to the procedures and guidelines outlined in this document.

“The Council’s primary goal has always been to help organizations protect payment data,” say Emma Sutcliffe, SVP, Standards Officer. “We have collaborated with the payments industry and have issued timely guidance to help organizations maintain and monitor the effectiveness of their security controls throughout the course of the global pandemic. The Remote Assessment Guidelines and Procedures builds upon previously published guidance on conducting remote assessments in a secure manner.”

Remote Assessment Guidelines and Procedures can be found in the PCI SSC Document Library [LINK TO DOCUMENT]. Guidelines include:

  • Feasibility considerations for the use of remote assessments.
  • Steps to properly plan and prepare for the remote assessment​.
  • Detailed guidelines and best practices on the use of remote testing methods for different types of testing activities. ​
  • Requirements and expectations for PCI SSC assessors regarding the use of remote assessment activities. ​
  • Report Template Addendum to document the use of remote assessment methods.

It is important to note the PCI SSC does not enforce compliance with its standards. All questions about how completion of an assessment may impact compliance to a payment brand compliance program should be addressed to the entity’s acquirer or the applicable payment brands.

Read the PCI Perspectives blog post for additional information on the Guidelines.

About the PCI Security Standards Council
The PCI Security Standards Council (PCI SSC) leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyberattacks and breaches. Connect with the PCI SSC on LinkedIn. Join the conversation on Twitter @PCISSC. Subscribe to the PCI Perspectives Blog.