Download our FREE whitepaper on data loss prevention best practices. Download Now

PCI DSS Compliance and Remote Work

Starting with the coronavirus (COVID-19) pandemic, companies across the world that wanted to maintain business operations and abide by new government-mandated regulations concerning the movement of individuals, have widely adopted remote work models. And while for certain types of jobs and sectors, this posed no great problems, others faced the danger of non-compliance with data protection regulations and industry standards.

The Payment Card Industry Data Security Standard (PCI DSS) has long been considered a hurdle to remote work as compliance is hard to achieve in an uncontrolled environment such as an employee’s home. PCI DSS is a set of 12 security requirements that helps businesses protect their payment systems from breaches, fraud, and theft of cardholder data. They include, among others, the need to implement strong access control measures, protect cardholder data and maintain an information security policy.

While not legally binding, PCI DSS was adopted globally as a general standard by financial institutions, most notably banks, and is required for all companies that process, store or transmit credit card information from the world’s biggest card schemes: American Express, Discover, JCB, MasterCard, and Visa.

Non-compliance comes at a high price: organizations face fines of up to $100,000/month and increased transaction fees and risk having their relationship with their bank terminated. Worse still, they can find themselves on the dreaded MATCH (Merchant Alert to Control High-Risk) list, which will ensure they will never be allowed to process card payments again.

PCI DSS Compliance in WFH environments

The PCI Security Standards Council (PCI SSC) has recognized the extraordinary circumstances companies around the world face and has issued guidance for remote work while stressing the need to maintain cybersecurity practices to protect payment card data. These best practices for work from home (WFH) environments, however, do not replace PCI DSS requirements but are meant to support companies to meet compliance while their employees work from home.

According to the guidance, one of the best ways to guarantee continued compliance is to create and maintain a culture of security within the organization. This can be achieved through a security-awareness program that informs employees about a business’s security policies and procedures and helps them understand their importance both for data security and compliance. If companies were PCI compliant prior to the ongoing health crisis, they should already have such a program in place as it is part of PCI DSS Requirement 12.6.

In the case of remote work, the need to inform and educate employees increases: they must be made aware of the risks posed by working from home to PCI DSS compliance and what they need to do to ensure the continued security of systems, processes, and equipment supporting the processing of payment card data.

While this can be challenging outside of the office, employees must know that the most essential requirement is that any systems used to process account data are securely maintained and not accessible to any unauthorized individual. This means protection against outside interference and any carelessness on the part of the employees themselves and blocking physical access to the place where their work is conducted. Employees should, therefore, maintain a home working environment where other members of their household cannot enter.

Securing Processes

The physical space where an employee is working remotely and processing card payments must be effectively monitored and access to it controlled at all times. Locking a home office space is one-way employees can prevent physical access to any systems that process account data. However, it is also essential that multi-factor authentication processes be put in place to make sure that, should someone gain physical access to the home office space, they will still not be able to access account data.

Data transfer can also be controlled through Data Loss Prevention (DLP) tools that allow companies to monitor credit card information transfers through predefined policies and block its transfer through insecure exit points such as file-sharing services or instant messaging applications, which employees might be tempted to use while working remotely.

Any printed account data must also be securely stored, preferably under lock and key, and shredded or otherwise destroyed when it is no longer needed.

Limiting Data Exposure

Remote workers should only use company-approved hardware: whether it’s laptops, phones, or removable devices. In this way, companies can maintain control of systems and the technology supporting payment processing. Organizations can ensure that no unauthorized devices are connected to work computers by the application of DLP device control policies on the endpoint which limit or block USB and peripheral ports altogether whether a device is online or not.

It is also recommended that all company computers being used remotely have up-to-date firewalls, corporate antivirus solutions, and security patches installed. These security controls need to be configured in such a way that users cannot disable them.

Frequently Asked Questions

Why is PCI DSS compliance important?
PCI DSS compliance is important for several reasons. By following this standard, organizations can keep payment card data secure, avoid costly data breaches, and protect customer and employee information. Failing to comply with PCI DSS can lead to steep fines and penalties, suspension of accounts, and revocation of credit card payment services.

Check out our advanced PCI compliance scanner.

What are the 12 requirements of PCI DSS Compliance?
  • Install and maintain a firewall configuration
  • Configure passwords and settings
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software or programs
  • Regularly update and patch systems
  • Restrict access to cardholder data by business need to know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Implement logging and log management
  • Conduct vulnerability scans and penetration tests regularly
  • Documentation and risk assessments

Find out how to ensure PCI DSS compliance during remote work

How DLP helps with PCI DSS compliance?
Data Loss Prevention (DLP) solutions are some of the most useful tools for PCI DSS compliance. By deploying a DLP solution, companies can ensure that cardholder information is identified, logged, and controlled in order to meet PCI DSS requirements, including the following:
  • Protecting stored cardholder data
  • Restricting access to cardholder data by business need-to-know
  • Tracking and monitoring all access to network resources and cardholder data
  • Regularly testing security systems and processes

Learn more about how DLP helps with PCI DSS compliance.

How Endpoint Protector helps with remote work?
Shifting to remote work involves sensitive data leaving company premises and data stored on endpoints becoming vulnerable to leakage and theft. Endpoint Protector DLP allows organizations to apply security policies on the endpoint, thus protecting sensitive data whether a computer is connected to the company network or outside it. Our solution can also ensure that compliance efforts with legislation such as PCI DSS carry on uninterrupted by offering predefined policies. The Outside Network and Outside Hours policies allow companies to set different monitoring and control policies when a computer is taken outside the company network or used outside of regular working hours. Endpoint Protector policies remain active whether a company computer is online or offline, which means sensitive data is controlled and monitored at all times, and logging continues as usual.

Read more about how Endpoint Protector DLP helps with remote work.

explainer-c_learning

Download our free ebook on
Data Loss Prevention Best Practices

Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.

In this article:

    Request Demo
    check mark

    Your request for Endpoint Protector was sent!
    One of our representatives will contact you shortly to schedule a demo.

    * Your privacy is important to us. Check out our Privacy Policy for more information.