PCI DSS Compliance and Remote Work
As the COVID-19 pandemic continues to spread across the world, companies that want to maintain business operations and abide by new government-mandated regulations concerning the movement of individuals, have widely adopted remote work models. And while for certain types of jobs and sectors, this poses no great problems, others face the danger of noncompliance with data protection regulations and industry standards.
The Payment Card Industry Data Security Standard (PCI DSS) has long been considered a hurdle to remote work as compliance is hard to achieve in an uncontrolled environment such as an employee’s home. PCI DSS is a set of 12 security requirements that helps businesses protect their payment systems from breaches, fraud, and theft of cardholder data. They include, among others, the need to implement strong access control measures, protect cardholder data and maintain an information security policy.
While not legally binding, PCI DSS was adopted globally as a general standard by financial institutions, most notably banks, and is required for all companies that process, store or transmit credit card information from the world’s biggest card schemes: American Express, Discover, JCB, MasterCard, and Visa.
Noncompliance comes at a high price: organizations face fines of up to $100,000/month and increased transaction fees and risk having their relationship with their bank terminated. Worse still, they can find themselves on the dreaded MATCH (Merchant Alert to Control High-Risk) list which will ensure they will never be allowed to process card payments again.
PCI DSS Compliance during the COVID-19 Pandemic
The PCI Security Standards Council has recognized the extraordinary circumstances companies around the world face at the present time and have issued guidance for remote work while stressing the need to maintain security practices to protect payment card data at this time. These best practices for remote work, however, do not replace PCI DSS requirements but are meant to support companies to meet compliance while their employees work from home.
According to the guidance, one of the best ways to guarantee continued compliance is to create and maintain a culture of security within the organization. This can be achieved through a security-awareness program that informs employees about a business’s security policies and procedures and helps them understand their importance both for data security and compliance. If companies were PCI DSS compliant prior to the ongoing health crisis, they should already have such a program in place as it is part of PCI DSS Requirement 12.6.
In the case of remote work, the need to inform and educate employees increases: they must be made aware of the risks posed by working from home to PCI DSS compliance and what they need to do to ensure the continued security of systems, processes, and equipment supporting the processing of payment card data.
While this can be challenging outside of the office, employees must know that the most essential requirement is that any systems used to process account data is securely maintained and not accessible to any unauthorized individual. This means protection against outside interference and any carelessness on the part of the employees themselves and blocking physical access to the place where their work is conducted. Employees should, therefore, maintain a home office space where other members of their household cannot enter.
The physical space where an employee is working remotely and processing card payments must be effectively monitored and access to it controlled at all times. Locking a home office space is one-way employees can prevent physical access to any systems that process account data. However, it is also essential that multi-factor authentication processes be put in place to make sure that, should someone gain physical access to the home office space, they will still not be able to access account data.
Data transfer can also be controlled through Data Loss Prevention (DLP) tools that allow companies to monitor credit card information transfers through predefined policies and block its transfer through insecure exit points such as file sharing services or instant messaging applications, which employees might be tempted to use while working remotely.
Any printed account data must also be securely stored, preferably under lock and key and shredded or otherwise destroyed when it is no longer needed.
Limiting Data Exposure
Employees should only use company-approved hardware: whether it’s laptops, phones or removable devices. In this way, companies can maintain control of systems and the technology supporting payment processing. Organizations can ensure that no unauthorized devices are connected to work computers by the application of DLP device control policies on the endpoint which limit or block USB and peripheral ports altogether whether a device is online or not.
It is also recommended that all company computers being used remotely have up to date firewalls, corporate antivirus solutions and security patches installed. These security controls need to be configured in such a way that users cannot disable them.