Reviewing & Verifying PCI Policy for WFH Environments

by Kelly O'Brien 0 Comments

Cybercriminals love a crisis, and the COVID-19 pandemic is the equivalent of a crisis party where everyone is invited, and no one is checking IDs at the door. As a result, to avoid a Sixteen Candles situation (and to keep employees healthy), companies are scrambling to provide the training, support, and tools for employees to safely work remotely. As a trusted PCI Qualified Security Assessor (QSA), Agio understands how important it is to have the right policies and procedures in place, especially on the fly.

Firms that take credit card payments are being forced to create and implement policies they may not have considered before this crisis. This presents a wealth of challenges: ensuring architectures can handle a remote workforce; enforcing security for people, processes, and technology; providing company-issued devices; and helping employees spot various forms of phishing and spoofed websites containing malware.

PCI Compliance concerns in REMOTE WORK Environments

Your organization has to place a lot of trust in employees who store, process, or transmit credit cards remotely. The systems you use must be secure, and customers need to feel safe when providing their valuable data details. Non-compliance with PCI standards could mean significant fines, damage to your reputation, and loss of trust from customers and payment partners—all of which could result in higher charges, loss of revenue, and grave long-term repercussions.

The problem is that PCI compliance is a hurdle in a variable remote working situation. For instance, a manager can’t ensure a clean desk policy is followed in a home environment. It’s also difficult to know whether employees are writing down card numbers, typing them into another document, recording card numbers, or repeating the card data back to the customer.

And, if your company has call centers, those bring a different set of concerns because they don’t easily translate to work-from-home environments. Some of the physical security requirements are reasonable for call center workers but others may require you to decide on a defendable interpretation of some terms. For example, some physical security controls apply only to sensitive areas. The PCI SSC defines a sensitive area as

“Any data center, server room, or any area that houses systems that store, process, or transmit cardholder data. This excludes the areas where only point-of-sale terminals are present such as the cashier areas in a retail store.”

According to this definition, the room where a remote call center agent is working may be considered a sensitive area since it houses a system that transmits cardholder data. However, there is an exclusion for point-of-sale terminals, likely because the primary account numbers (PAN) are transmitted one by one.  If remote workers are transmitting one PAN at a time, their work environment would not be considered a sensitive area and, therefore, some of the PCI security requirements would not apply (e.g., installation of video cameras or other control mechanisms to monitor the individual).

It’s worth noting that if your firm is leveraging free cloud services such as Microsoft or Google, it does not equate to automatic compliance.

Review & update current policies

It’s no small task to ensure PCI compliance requirements are met by a remote workforce processing card data. We’ve helped many a company write and review security policies based on where the industry is headed while taking into consideration external threats. COVID-19 hasn’t slowed us down.

Begin by mapping out the flow of cardholder data.  Consider how employees receive sensitive data (i.e., over the phone, fax, or internet). Once the data is received, how are employees processing it? What devices and network segments are involved in the transmission of cardholder data? Realize that any system involved in the storage, processing, or transmission of cardholder data is in-scope for your environment (as is any system that can affect the security of these devices). The PCI SSC Scoping Guide provides additional information.

Next, create a single approved, remote-working policy that includes physical security requirements. Define roles and responsibilities, acceptable use, proper protection of credit card processing, reporting incidents, and sanctions. This policy should also include an annual sign-off from the remote worker on all applicable requirements within their control (e.g., consider including a video or pictures of the networking environment). If the requirements can’t be met, the individual shouldn’t process card information remotely.

Create an authenticity policy for transactions. If the business process oversees wire transfers or payment requests, create a policy that requires employees to confirm such requests to verify the authenticity.

We can help you update your company plans for pandemic preparedness.We’ll also revisit your incident response plan, disaster recovery plan, and other security monitoring plans to ensure the necessary steps are in place to manage business continuity.

Reviewing, updating, and creating policies ensures that all of the PCI requirements applicable to remote endpoints and processes are properly tested before releasing the devices to your corporate resources.

Requirements for remote work environments

As a PCI Qualified QSA Agio can also help you evaluate endpoint configurations. To the extent remote workers will be processing payment card information, those remote work environments must be considered part of the cardholder data environment (CDE), and the risks to the information must be evaluated and addressed according to the PCI-DSS requirements. The following table lists the PCI requirements that are in scope for remote endpoint devices:

A screenshot of a social media post

Description automatically generated

Other important requirements include:

  • Reviewing your remote employee-assigned access roles. Ensure that only those employees with need-to-know roles can access cardholder or sensitive data.
  • Providing Voice over IP (VoIP) over VPN when accepting telephone order transactions remotely. If the cardholder data environment (CDE) includes telephone-order transactions, ensure that VoIP data is encrypted when being transmitted over the internet, and keep in mind that any call recordings would be in scope and must be protected.
  • Defining clear responsibilities for accountability for each PCI when using cloud environments for storage, processing, or transmission of card data.
  • Prohibiting unauthorized copying, moving, and storing of account data onto local hard drives and removable electronic media when accessing payment card data via remote-access technologies.

What device will employees use for remote work? Is it company-owned or personal? If possible, require all personnel to only use company-approved hardware devices. Mobile phones, telephone handsets, laptops, desktops, and systems should all be company-owned and approved.

You may have to resort to having employees use their personal devices if cost or timing is an issue, but we don’t recommend it. Personal devices have the highest area of risk when processing PAN for the following reasons:

  • Home users are typically administrators on their own devices and use those devices for daily personal email and web browsing.
  • Using a non-company issued device will either expand the PCI scope or negate PCI Compliance.
  • Home devices may not implement multi-factor authentication (MFA) or virtual private networks (VPN).
  • Remote devices may not be centrally managed or updated with the latest vendor security patches.
  • Remote office wireless access points may not be configured securely.
  • Remote users may not be aware of the company’s Acceptable Use policies and guidelines or may have the misconception that these policies do not apply in their home environment.
  • There are no defined roles and responsibilities for the remote employees.

If your employees must use their own devices, implement mobile device management (MDM) for personal devices that are used to process card data, provide clear instructions for securing home Wi-Fi connections, and prohibit the use of public Wi-Fi or public hotspots.

Regardless of who owns the devices, ensure all laptops/desktops in remote environments have the following:

  • Personal firewalls that are installed and operational
  • The latest version of the corporate virus-protection software and definition files
  • The latest approved security patches installed

All machines must be configured to prevent users from disabling security controls and should require multi-factor authentication (MFA). Remote employees should always use MFA when connecting to the telephone environment or to any systems that process account data.

Work-From-Home Check-Ins

When employees make a physical shift from working in the office to working from home, they may make a mental shift as well. It’s not uncommon for people to downplay or ignore best practices when they aren’t in an office setting.

Consider sending frequent security bulletins that remind personnel to remain vigilant against potential cyber-attacks and scams. Remind employees not to click links or open attachments contained in unsolicited emails. They shouldn’t provide personal or financial information when responding to online solicitations. If they need up-to-date, fact-based information about COVID-19, they should only use trusted sources (i.e., hospitals and government websites).

Additional References

The following list provides additional reference guides, based on industry best practices, for securing remote work environments

In conclusion

While companies are consumed with the task of implementing remote work strategies in response to the COVID-19 crisis, it is critical to remember that no matter how chaotic the situation continues to be, businesses are not exempt from compliance obligations. The appropriate response to COVID-19 is to continue to enforce basic good cyber hygiene.

As you focus on PCI compliance in a work-from-home world, it’s taxing and disruptive on internal resources. We can help you assess risk and teach end users how to recognize and avoid attacks from bad actors.

Contact us. We’re here.