PCI SSC is dedicated to providing necessary guidance to the payments industry during evolving circumstances related to COVID-19. The current climate is forcing more global organizations to a remote-work model. As organizations make this shift, it is important to maintain security practices to protect payment card data. The following are excerpts related to remote work best practices taken from the PCI SSC Information Supplement “Protecting Telephone-Based Payment Card Data”.
Note: The information supplement and the excerpts included below do not replace or supersede requirements in any PCI SSC Standard.
One of the best ways to mitigate that risk is to create and maintain a culture of security within the organization. Examples of controls for remote workers include:
- Implement a security-awareness program (PCI DSS Requirement 12.6), delivered at the start of employment and at least annually thereafter, to make sure that all personnel are properly trained and knowledgeable about the business’s security policies and procedures. This includes reviewing security policies and procedures with all in-house and at-home/remote agents at least annually to ensure that security processes and procedures are not forgotten or bypassed. As a best practice, consider requiring personnel to acknowledge the security policy as part of their daily sign-in process.
- Particular attention must be given to home workers. Some of the examples of controls may be difficult to implement. Organizations should evaluate the additional risks associated with processing account data in unsecured locations and implement controls accordingly. All staff should be made fully aware of the risks related to remote or home-working and what should be required to maintain the ongoing security of systems, processes, and equipment supporting the processing of telephone-based payment card data.
- Securing systems and data located in home-worker environments can be challenging and difficult to enforce. At a minimum, home workers should be required to ensure that any systems they use to process account data, and any account data to which they have access, is securely maintained and not accessible to any unauthorized individual.
The physical environment within which an office worker or home worker is taking card payments over the telephone should be effectively monitored and access controlled. Examples of required controls include:
- Ensure that at-home/remote workers use a multi-factor authentication process when connecting to the telephone environment or to any systems that process account data.
- Restrict physical access to media containing payment card data, such as call or screen recordings, as well as networking/communications hardware.
- If account data is ever written or printed on paper, ensure it is securely stored, then shredded when no longer needed. If any part of the telephone environment is outsourced to a third-party service provider, both the entity and service provider should clearly understand their responsibilities for securing their respective systems, processes, and personnel, and document accordingly.
By limiting exposure of payment data in your systems, you simplify scope and validation, reducing the chance of being a target for criminals. Examples of recommendations for remote workers include:
- Require all personnel to use only company-approved hardware devices- e.g., mobile phones, telephone handsets, laptops, desktops, and systems. This is especially relevant to remote/at-home working, ensuring that the entity can maintain control of systems and technology supporting the processing of telephone-based payment card data.
- Ensure that all desktop/terminals, in remote/at-home working environments:
- Have personal firewalls installed and operational.
- Have the latest version of the corporate virus-protection software and definition files.
- Have the latest approved security patches installed.
- Are configured to prevent users from disabling security controls.
- For the home/remote worker supported as an extension of the entity’s network, make sure that their environment (e.g. network and other technology) is secure in accordance with the PCI DSS requirements. Any implementation should be agreed to with your acquirer or payment card brand.
The above excerpts are mostly taken from the PCI SSC Information Supplement “Protecting Telephone-Based Payment Card Data." This supplement is the result of a Council Special Interest Group (SIG). SIGs are community-driven initiatives that focus on payment security challenges related to PCI Security Standards. Learn more about how to join a SIG by visiting the Special Interest Group page.