Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID.
Retail locations may be closed, staff may be unavailable.
Obviously human safety trumps any PCI DSS compliance concerns. Merchants and QSAs do have questions about compliance in COVID times.
We are still awaiting to hear from the acquirers and cardbrands on what options might be available. I think that additional information will be available shortly and I will keep this page up to date. I think its safe to assume that COVID-19 impact respite is likely available and, currently, you will need to reach out directly to your acquirer for more specific guidance.
March 9, the Council released information about conducting “on site” assessments here. Nothing much new, just a link to existing remote guidance and the advice that “…if you experience any issues meeting your compliance obligations, please be sure to discuss with your Brands or Acquirer.”.
COVID news from Acquirers and Card Brands regarding PCI DSS compliance of Merchants:
- Moneris March 15 2020: Notification that service personnel will take precautions to not spread the virus and POI device cleaning advice.
- AMEX Trustkeeper portal: March 22 2020: no COVID info. (But speaking of viruses, the site does require Adobe Flash to work).
- Visa Canada: March 22 2020: Search for COVID asks “did you mean comic?”
- Visa: April 23 2020: Visa Merchant Business News Digest: Advice for merchants on doing business during pandemic including managing disputes and reducing cardholder interaction.
- Bloomberg Article March 27 2020: Visa Delays Fee Changes, Might Also Give Gas Stations Relief
- Mastercard: March 22 2020: No news is good news?
- PCI Security Standards Council
- Blog March 25 2020: Protecting payments while working remotely
- Bulletin: March 10 2020: Extension of Expiration of the Approval of PCI PTS POI v3 Devices
Ad below this line:
As well, the PCI GURU and other security consultants are having an online discussion on BrightTALK (a technology media company that provides professional webinar hosting) titled “Dealing with PCI DSS Compliance During the COVID-19 Crisis” on March 25 2020.