Frequently Asked Question
Are remote assessments permitted for PCI DSS?
While onsite assessments continue to be the expected method for PCI SSC assessments, the use of remote assessment methods may provide a suitable alternative in legitimate scenarios where an onsite assessment is not feasible. In such scenarios, entities should consult with the compliance-accepting entity to confirm whether remote assessments are allowed and any requirements they may have around performing remote assessments or the submission of remote assessment reports.
PCI SSC has developed a set of guidelines and procedures outlining the appropriate use of remote assessment methods when an onsite assessment is not feasible and where remote assessments are permitted by the compliance-accepting entity. The PCI SSC Remote Assessment Guidelines and Procedures can be found in the PCI SSC Document Library. If remote assessment methods are used in place of onsite assessment, the Assessor may be required to complete the Addendum for ROC/ROV: Remote Assessments, if requested by the compliance-accepting entity.
Featured FAQ Articles
Most Recently Updated
Is the expectation that any PFI investigation initiated must result in a PFI Final Report?
Can SAQ eligibility criteria be used for determining applicability of PCI DSS requirements for assessments documented in a Report on Compliance?
Do PCI DSS requirements for keyed cryptographic hashing apply to previously hashed PANs?