Being a security professional, the term virus drives many adrenal glands to fight it out tooth and nail until its elimination. Well in these conditions, my fight is restricted to novice guidance on do’s and don’ts as learned and understood by me. Thanks to all medical and paramedical professionals who are risking their own lives to save several others.
In our topic - PCI, all of us are more than aware that compliance with the PCI-DSS v3.2.1 standard is a continuous and ongoing process under changing environments. The changing and dynamic environments are visualized in terms of risk scenarios and controls laid out to mitigate those risks (PCI Requirement 12.2 .a and 12.2.b). It is understood that pandemic conditions as prevalent today across the world, would have been one of the risk scenarios and adequate controls to counter the same would be have been prescribed and implemented. It is not the intent today to open up risk assessment reports and see its coverage and effectiveness. We should be looking at the larger picture without debating whether PCI requirement 12.2 relating to risk assessment is about enterprise-wide or not, does it need to cover the information security tenet ‘Availability' and if yes to what extent.
The larger picture is of sustenance of PCI under such conditions when the availability of the human element in maintaining the controls from a specified secure location is in question.
There is no simple and easy answer to this. The approach would be to list down the PCI requirements/sub-requirements the meeting of which could be impacted under the existing conditions. Obviously, this will vary from industry to industry, companies within the industry, country to country, cities within a country and so on, meaning thereby there will not be a one list fitment.
One small merchant with only two POS terminals may not open his establishment for some time. In such a scenario, although PCI is a 365x7 exercise, he would still be compliant since he has eliminated any risks arising from a transaction perspective at least. It is assumed that the risk of break opening of the shop is anyway covered when he closes everyday Corona or not!
In summary, sustenance essentially should revolve around revised risk assessment, additional controls, compensating controls and documentation of exceptions to keep the security intended by the PCI standard in letter and spirit.
Well, I can’t cover requirement to requirement and case to case in this article, I, without prejudice to what all is stated above, would like to see an informal ceasefire between hackers and security professionals till the abatement of this pandemic.