Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID.
Retail locations may be closed, staff may be unavailable.
Obviously human safety trumps any PCI DSS compliance concerns. Merchants and QSAs do have questions about compliance in COVID times.
We are still awaiting to hear from the acquirers and cardbrands on what options might be available. I think that additional information will be available shortly and I will keep this page up to date. I think its safe to assume that COVID-19 impact respite is likely available and, currently, you will need to reach out directly to your acquirer for more specific guidance.
March 9, the Council released information about conducting “on site” assessments here. Nothing much new, just a link to existing remote guidance and the advice that “…if you experience any issues meeting your compliance obligations, please be sure to discuss with your Brands or Acquirer.”.
COVID news from Acquirers and Card Brands regarding PCI DSS compliance of Merchants:
Moneris March 15 2020: Notification that service personnel will take precautions to not spread the virus and POI device cleaning advice.
Visa Canada: March 22 2020: Search for COVID asks “did you mean comic?”
Visa: March 22 2020: No press release since 2019.
Mastercard: March 22 2020: No news is good news?
PCI Security Standards Council Bulletin: March 10 2020: Extension of Expiration of the Approval of PCI PTS POI v3 Devices
Ad below this line:
As well, the PCI GURU and other security consultants are having an online discussion on BrightTALK (a technology media company that provides professional webinar hosting) titled “Dealing with PCI DSS Compliance During the COVID-19 Crisis” on March 25 2020.