Coronavirus
(COVID-19)

Last Updated: 12 August 2020

PCI SSC is aware of the unprecedented situation caused by the spread of COVID-19. As circumstances evolve, questions have arisen surrounding a variety of issues, including the impact on assessments and trainings. We are actively monitoring the developments and collaborating with our stakeholders and community on response and needed guidance.

We have established this webpage for all updates, so please be sure to check regularly as this is a constantly evolving situation.

The PCI Perspectives blog will also be updated with the latest information. Subscribe to the blog to receive instant email notifications.

ADDRESSING USAGE OF “COMPLIANT BUT WITH LEGAL EXCEPTION” IN AOCS

With travel restrictions and lockdowns impacting the ability for assessors to complete testing of some requirements, PCI SSC has been asked about the appropriateness of using the “Compliant but with Legal exception” option in the AOC due to COVID-19. PCI SSC has issued an official FAQ to address this question.

Read the FAQ: Can the “Compliant but with Legal exception” option in the AOC be used to identify where a testing procedure could not be performed due to a legal constraint?.

COVID-19 IMPACT ON P2PE ASSESSMENTS

PCI SSC may provide, on request, a six-month extension to reassessment dates for PCI-listed P2PE Solutions, Components and Applications due for re-assessment on or before 30 June 2021, if COVID-19 related restrictions have prevented a full assessment of the P2PE Product from being completed. This extension was previously available to products due for reassessment prior to 31 October 2020. PCI SSC is also extending allowances for applicable P2PE Products due for annual revalidation before 30 June 2021 that are unable to complete the required PCI DSS assessment of their decryption environment. Vendors that wish to request an extension are required to submit an attestation to confirm their ongoing adherence to the PCI P2PE Standard and Program..

REVISIONS TO THE IMPLEMENTATION DATES FOR PCI P2PE SECURITY REQUIREMENT 18-3

In response to stakeholder feedback about the impact COVID-19 has had on implementations, PCI SSC is updating the effective dates for key block implementations. These revised dates are effective immediately. A technical FAQ will convey the revised dates until such time the P2PE Standard is updated. The new dates and additional information can be found in the bulletin below.

Read the Bulletin: Revisions to the Implementation Dates for PCI P2PE Security Requirement 18-3.

PCI SSC OFFERS INFORMATIONAL TRAINING VIA NEW ELEARNING PLATFORM

PCI Security Standards Council (PCI SSC) has adopted a new eLearning platform to move all informational and certification programs online. With the rise of the COVID-19 pandemic, the Council took important steps earlier this year to protect the health and safety of all involved by canceling face-to-face, instructor-led training courses for the remainder of the calendar year. To learn more about the eLearning platform, the importance of informational training, and which classes are now available, please read our blog: PCI SSC Offers Informational Training via New eLearning Platform.

COVID-19 IMPACT ON P2PE ASSESSMENTS

Due to the unusual circumstances relating to COVID-19, PCI SSC may provide, on request, a six-month extension to reassessment dates for P2PE Solutions, Components and Applications due for re-assessment on or before 31 October, 2020. Previously applied to P2PE products through 31 July 2020, PCI SSC is extending allowances for P2PE Products due for annual revalidation before 31 October 2020 that are unable to complete the required PCI DSS assessment of their decryption environment. Vendors are required to confirm their ongoing adherence to the PCI P2PE Standard and Program. Contact P2PE@pcisecuritystandards.org for further information.

REVISIONS TO THE IMPLEMENTATION DATE FOR PCI PIN SECURITY REQUIREMENT 18-3

In response to stakeholder feedback about the impact COVID-19 has had on implementations, PCI SSC is updating the effective dates for key block implementations. These dates are effective immediately and will be reflected in the PCI PIN Security Requirements and Testing Procedures Version 3.1, due for release later this year. The new dates and additional information can be found in the bulletin below.

Read the Bulletin: Revisions to the Implementation Date for PCI PIN Security Requirement 18-3

IMPORTANT TRAINING SCHEDULE UPDATE: INSTRUCTOR-LED TRAININGS (ILT)

With the primary concern continuing to be for the safety of everyone involved, and the current global travel restrictions, PCI SSC has decided to cancel the remainder of instructor-led training (ILT) courses through the end of the calendar year 2020.

Based on the success and overwhelmingly positive feedback we have received in existing eLearning courses that we have delivered to date, we are working diligently on adding additional courses soon. When additional courses are available they will be posted here.

The courses that are impacted for the remainder of 2020 are:

  • 9-14 Sept: Orlando, FL
    SSA, QSA, S-SLC, ISA, PCIP
  • 21 Sept – 1 Oct: London, UK
    QSA, ISA, 3DS, SSA, SLC
  • 29 Sept – 2 Oct: Melbourne, AU
    ISA, QSA
  • 13-16 Oct: Tokyo, JP 
    ISA, QSA
  • 13 – 19 Oct: Nice, FR
    ISA, QSA, QPA, P2PE, PCIP
  • 3-10 Nov: Hanoi, Vietnam 
    S-SLC, SSA, ISA, QPA,   QSA
  • 16-20 Nov: Chicago, IL
    ISA, QSA, PCIP
  • 15-16 Dec: Mumbai, IN
    QSA

 

Please be sure to check back regularly for additional updates. Please monitor the PCI SSC Coronavirus (Covid-19) webpage for the latest information.

Please contact training@pcisecuritystandards.org with any questions or concerns.

PCI SSC 2020 COMMUNITY MEETING EVENT UPDATE

The PCI SSC has made the decision that the 2020 Community Meetings in North America, Europe and Asia-Pacific will be conducted online. Although we will not be together face-to-face, we will still gather virtually to hear important Council updates, regional insights, network, collaborate, and share information. We look forward to providing an engaging online experience with more content over additional days. Be sure to mark your calendars as the dates have shifted:

NEW DATE: North America Community Meeting
Tuesday – Friday
6 – 9 October 2020

NEW DATE: Europe Community Meeting
Tuesday – Friday
20 – 23 October 2020

NEW DATE: Asia-Pacific Community Meeting
Wednesday – Friday
4 – 6 November 2020

We encourage you to continue visiting the event website for the most up-to-date information and details. Registration will be available soon! Watch our video and see why now, more than ever, we must work together to help secure payment data.

PCI SSC 2020 LATIN AMERICA FORUM EVENT UPDATE

The PCI Security Standards Council has been closely monitoring the situation caused by the spread of COVID-19 and has made the decision to transition the Latin America Forum on 13 August from an in-person meeting to a free online event. Continue to check the event website for more information.

IMPORTANT TRAINING SCHEDULE UPDATE: INSTRUCTOR-LED TRAININGS (ILT)

With the primary concern continuing to be for the safety of everyone involved, and the current global travel restrictions, PCI SSC has decided to cancel all instructor-led training (ILT) courses through the end of August 2020.

Please note: Some training and certification programs have recently been made available via eLearning with remote exam certification. More information is available here.

The courses that are impacted by this cancellation are:

  • 1-2, 5 June: London, EN
    ISA, PCIP
  • 1-4 June: Tokyo, JP
    ISA, QSA
  • 2-10 June: Toronto, CA
    ISA, QSA, CPSA-L, CPSA-P
  • 13-16 July: Portland, OR
    CPSA – P, CPSA – L, QPA
  • 5-11 August: Amsterdam, NL
    CPSA – L, CPSA – P, QPA, QSA
  • 4-11 August: Sao Paulo, BR
    ISA (Br-PT), QPA, QSA

 

Please be sure to check back regularly for additional updates. Please monitor the PCI SSC Coronavirus (Covid-19) webpage for the latest information.
Please contact training@pcisecuritystandards.org with any questions or concerns.

ELEARNING WITH ONLINE CERTIFICATION NOW AVAILABLE

Due to the global COVID-19 crisis many in-person testing facilities were closed as a result of regional stay at home recommendations and restrictions. We are pleased to offer some of our training and certification programs via eLearning with remote exam certification.

More information available here.

BEWARE OF ONLINE SKIMMING THREATS DURING THE COVID-19 CRISIS

PCI SSC and the U.S. Chamber of Commerce shares guidance and information on protecting against online skimming attacks in the face of the COVID-19 crisis. On this blog Troy Leach, Senior Vice President, Engagement Officer for the PCI Security Standards Council and Christopher Roberti, Senior Vice President, Cyber, Intelligence and Security Policy & Chief of Staff of the U.S. Chamber of Commerce discuss this important topic.

Read the blog: Beware of Online Skimming Threats During the COVID-19 Crisis.

MAINTAINING POS DEVICE SECURITY AND CLEANLINESS

Merchants are working harder than ever to protect their customers by frequently cleaning common touch points in their stores. One of these common surfaces is the point-of-sale (POS) payment terminals where customers swipe or dip their payment card and potentially enter a PIN to confirm their purchase. PCI SSC provides some considerations to avoid damaging POS devices while keeping them clean.

Read the blog: Maintaining POS Device Security and Cleanliness.

REMOTE ASSESSMENTS

Due to continued restrictions on travel and meetings as a result of the coronavirus, PCI SSC has published additional guidance for assessors on the topic of remote assessments. Read the blog here.

If you experience any issues meeting your compliance obligations, please be sure to discuss with your Brands or Acquirer.

GUIDANCE ON QSA 2nd INDUSTRY CERTIFICATION

Due to the mass closure of testing centers in many countries, the Council recognizes QSAs due to requalify before 30 June, 2020 may not be able to complete exams associated with industry certifications ahead of their requalification date. The Council has developed a temporary process for existing QSAs who, for COVID-19 related reasons, cannot meet the requirement to hold two industry certifications. For any questions regarding this temporary process, please email the QSA program manager at qsa@pcisecuritystandards.org.

COVID-19 IMPACT ON P2PE ASSESSMENTS

Due to the unusual circumstances relating to COVID-19PCI SSC may provide, on request, a six-month extension to reassessment dates for P2PE Solutions, Components and Applications due for re-assessment on or before 31 October, 2020. Flexibility may also be provided to vendors with annual revalidations due on or before 31 July, 2020 that are unable to complete the required PCI DSS assessment of their decryption environment. Vendors are required to confirm their ongoing adherence to the PCI P2PE Standard and Program.  Contact P2PE@pcisecuritystandards.org for further information. 

GUIDANCE ON WORKING REMOTELY

PCI SSC is dedicated to providing necessary guidance to the payments industry during evolving circumstances related to COVID-19. The current climate is forcing more global organizations to a remote-work model. As organizations make this shift, it is important to maintain security practices to protect payment card data. Read the following PCI Perspectives blog posts for guidance related to protecting payments while working remotely.

How the PCI DSS Can Help Remote Workers

Protecting Payments While Working Remotely

NOTE: If you experience any issues meeting your compliance obligations, please be sure to discuss with your Brands or Acquirer.

BEWARE OF COVID-19 ONLINE SCAMS AND THREATS

With the rise in phishing and social engineering attacks designed to exploit the COVID-19 crisis, several government organizations around the globe, including the U.S. Secret Service (USSS), U.S. Department of Justice (DOJ), Federal Trade Commission (FTC), Europol,  CERT-In (The Indian Computer Emergency Response Team),  ReBIT ( [The Technology Arm of Reserve Bank of India), ABECS (Brazilian Credit Card Association), andJC3 (Japan Cybercrime Control Center)have issued warnings about these threats.  The PCI SSC has published guidance on this important topic.  Read the blog here.

IMPORTANT TRAINING SCHEDULE UPDATE: INSTRUCTOR-LED TRAININGS (ILT)

With the primary concern continuing to be for the safety of everyone involved, and the current global travel restrictions, PCI SSC has decided to cancel all instructor-led training (ILT) courses through the end of June 2020. The courses that are impacted by this cancellation are:

  • 23-26 March: Dallas, TX
    QSA, ISA
  • 20-24 April: Berlin, DE
    QSA, QPA, 3DS
  • 20-21, 23-24 April: Mumbai, India
    QSA, QSA
  • 21-28 April: Boston, MA
    ISA, QSA, P2PE
  • 4-7 May: Denver, CO
    PCIP, 3DS, QPA
  • 1-2, 5 June: London, EN
    ISA, PCIP
  • 1-4 June: Tokyo, JP
    ISA, QSA
  • 2-10 June: Toronto, CA
    ISA, QSA, CPSA-L, CPSA-P

 

We are looking to reschedule these courses in the future and hope to restart our instructor-led trainings later in 2020.

For those that have already signed up for these courses, PCI SSC is evaluating options that would allow us to deliver specific courses using virtual and remote training tools, and we will provide those updates later soon.

Please also note that we have amended our Refund Policy to accommodate these changes. We will work with registered trainees in an effort to either refund your training fees or move you into another class. Where the applicable program allows, we may alternatively move attendees to computer-based training.

Please be sure to check back regularly for additional updates. Please monitor the PCI SSC Coronavirus (Covid-19) webpage for the latest information.

Please contact training@pcisecuritystandards.org with any questions or concerns.

IMPORTANT TRAINING SCHEDULE UPDATE: INSTRUCTOR-LED TRAININGS (ILT)

With the primary concern for the safety of everyone involved, and the current uncertainty of global travel restrictions, PCI SSC has decided to cancel all instructor-led training (ILT) courses through the end of May 2020. The courses that are impacted by this cancellation are:

  • 23-26 March: Dallas, TX
    QSA, ISA
  • 20-24 April: Berlin, DE
    QSA, QPA, 3DS
  • 20-21, 23-24 April: Mumbai, India
    QSA, QSA
  • 21-28 April: Boston, MA
    ISA, QSA, P2PE
  • 4-7 May: Denver, CO
    PCIP, 3DS, QPA

 

We are looking to reschedule these courses in the future and we will be reviewing the situation again at the end of April.

We will publish any additional changes at that point. For those that have already signed up for these courses, PCI SSC is evaluating options that would allow us to deliver specific courses using virtual and remote training tools, and we will provide those updates later this month.

Please also note that we have amended our Refund Policy to accommodate these changes. We will work with registered trainees in an effort to either refund your training fees or move you into another class. Where the applicable program allows, we may alternatively move attendees to computer-based training.

Please be sure to check back regularly for additional updates. Please monitor the PCI SSC Coronavirus (Covid-19) webpage for the latest information.

Please contact training@pcisecuritystandards.org with any questions or concerns.

REMOTE ASSESSMENTS

Due to restrictions on travel and meetings as a result of the coronavirus, PCI SSC has published guidance for assessors on the topic of remote assessments. Read the blog here.Last updated 9 March 2020 at 11:50

Our existing guidance on remote assessments remains in effect at this time and we are working with our partners and assessment community to establish additional guidance. However, if you experience any issues meeting your compliance obligations, please be sure to discuss with your Brands or Acquirer.

LATIN AMERICA FORUM AND COMMUNITY MEETING UPDATE

PCI SSC continues to monitor the COVID-19 crisis and its impact on our community and stakeholders. At the present time, we are moving forward with the Latin America Forum in Sao Paulo, Brazil scheduled for 13 August and our Community Meetings scheduled for 15-17 September in Orlando, Florida, 20-22 October in Nice, France, and 11-12 November in Hanoi, Vietnam. The health and safety of our attendees remains our top priority and we will continue to evaluate the situation and monitor domestic and international conditions carefully. Please be sure to check back regularly for updates.

PTS POI EXPIRATION EXTENSION

Due to supply-chain disruptions related to the COVID-19, the PCI Council has changed the extended date for PIN Transaction Security Point-of-Interaction (PTS POI) version 3 devices from April 30, 2020 to April 30, 2021. Read the Bulletin Here.

INDIA TOWN HALL UPDATE

As concerns grow around the spread of COVID-19, yesterday Indian Prime Minister Modi recommended avoiding mass gatherings to avoid the spread of the virus. In deference to this guidance, we have made the difficult decision to cancel the India Town Hall in Mumbai scheduled for 22 April 2020. The health and well-being of our attendees are of the utmost importance to us and we did not take this decision lightly. We are looking into making arrangements to host this event later in the year and will circulate additional details once they become available. We apologize for any inconvenience this may have caused you and thank you for your understanding.

At the present time, we are continuing with our QSA training classes on 20-21 April and on 23-24 April, as these are smaller events. That said, in recognition of companies that may have travel restrictions or individuals who may not be comfortable traveling at this time, we are waiving any cancellation fees associated with these trainings.

The PCI Perspectives blog will also be updated with the latest information. Subscribe to the blog to receive instant email notifications.

We appreciate your understanding as we work with this evolving situation.