Last Updated on November 27, 2025 by Narendra Sahoo
The shift to remote work and ongoing travel limitations have forced many organizations to rethink how their PCI assessments are carried out. To help businesses and assessors adapt, PCI SSC has issued clear guidance on how remote PCI assessments should be handled when onsite visits aren’t possible. The goal is simple — maintain the same level of assurance, evidence quality, and control validation that an in-person assessment would provide.
This updated guidance outlines what assessors need to verify, how evidence should be reviewed, and the steps required to ensure the integrity of the assessment remains intact, even when the process is conducted off-site.
Does an assessor need to be onsite?
The PCI Security Standards Council understands that there are situations where an assessor simply cannot travel to a client location. Health concerns, travel restrictions, and similar disruptions can make onsite assessments temporarily impossible. In such cases, a remote assessment is acceptable, as long as the guidance provided by the council is followed carefully.
When working remotely, an assessor must be confident that the validation they perform offers the same level of assurance as an in-person review. Evidence, interviews, and observations all need to be handled with the same level of scrutiny before any requirement is marked as “in place” in the final compliance report.
Maintaining the Integrity of the Assessment
For a remote assessment to be trusted, its integrity cannot be compromised. This means the assessor must take extra care to confirm that the people being interviewed are the correct personnel and that the systems being reviewed are the real production systems. Screenshares, video walkthroughs, and controlled evidence transfers may be required to match the assurance level of an onsite visit.
Assessors must also document clearly in the Report on Compliance why onsite work could not be performed. The report should describe how each piece of remote testing was conducted and how it provided equivalent assurance. All evidence gathered during the remote review must be kept with the assessment work papers for any future audit or verification.
In some situations, assessor companies may choose to involve qualified local resources. For example, if a QSA is unable to travel but a trusted subcontractor is available locally, that subcontractor may perform the onsite elements under the rules of the QSA program.
Balancing remote testing with required onsite work
Even with careful planning, not every test can be performed remotely. Some checks still require a physical presence, and delays may be unavoidable when those activities cannot be completed immediately. In other cases, the remote portion of the assessment may take longer because coordination and evidence gathering require additional steps.
Any concerns about how these delays affect compliance should be discussed with the organization’s acquirer or the appropriate payment brands. They are the final authorities on timing, reporting, and compliance recognition.
Key Takeaways
-
Remote PCI assessments are acceptable when onsite work isn’t possible, as long as evidence and validation remain reliable.
-
Assessors must ensure the same level of assurance that an onsite review would provide.
-
Every remote testing method must be clearly documented in the final report.
-
Some checks may still require in-person validation, and delays may be unavoidable.
-
Clear communication with acquirers and payment brands is essential when timelines or onsite activities are impacted.
FAQ
Q1. Can a PCI DSS assessment be done remotely?
Yes, it can. When onsite access isn’t possible, assessors are allowed to perform a remote PCI review as long as the level of assurance is the same as an in-person visit.
Q2. What evidence is typically needed for a remote PCI audit?
Screenshares, video walkthroughs, system documents, real-time interviews, and confirmation that the systems being reviewed are production systems.
Q3. Does a QSA always have to come onsite?
Not necessarily. If travel isn’t possible, the assessor can work remotely or use approved local resources to handle the onsite elements.
Q4. Are all PCI DSS checks suitable for remote testing?
No. Certain physical security checks and device inspections still require someone to be present at the location.
Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
