Global representatives of the PCI Security Standards Council recently came together, via a virtual video platform, to discuss how the Council is responding to the COVID-19 pandemic, as well as best practices for the payment industry during this unprecedented time.
Troy Leach, SVP and Engagement Officer, joins Nitin Bhatnagar, Associate Director in India, Carlos Caetano, Associate Director of LA Region of Brazil, and Jeremy King, Regional Head of Europe, to address payment security issues and the implications of these changes to all of us on a global scale.
Troy Leach: Today we are going to cover several of the questions we’ve received but, most importantly, we recognize that everyone’s safety and their concerns about the future is at the forefront of our minds. We are talking to merchants, we are talking to service providers, we are talking to vendors and everyone that’s in the payment ecosystem about how this pandemic has changed the way that they do business and how they operate. And, as such, it changes some of the security implications that go along with that and, as well, how they demonstrate that security is in place and working as expected. So, with that, let’s talk first about some of those risks that we’re seeing. Nitin, why don’t you share with us what’s happening in India.
Nitin Bhatnagar: Thank you, Troy. India witnessed around a 40% jump in card-less payments including debit pay and wire payments. During the first quarter, as the global pandemic worsened, anywhere where payment technology is a struggle, the COVID-19 crisis has been around the rise of fraudulent transactions. There is also a massive increase in cases of phishing, social engineering, critical cyber-attacks on transaction channels and more. During this time of uncertainty and increased online activity, cyber criminals are actively working to exploit the current COVID-19 story with attacks aimed at taking advantage of the situation. Let us understand ways to defend against these types of acts:
Be aware of the increase in online skimming attacks. Do not click unknown links. Keep computer use for social media sites, email and general internet browsing separate from computers used for processing financial transactions. Separate personal use devices from work devices. Change the passwords on computers and point-of-sale systems including operating systems, security software, payment software, modems and routers from the default ones the product came with to something personal to you that is difficult to guess, such as combining uppercase letters, numbers and special characters in using passwords. Practice good password hygiene. Many of these attacks rely on getting a password one way or another. Requiring another form of ID, such as security tokens, will make it harder for hackers to falsify an account. Use two-factor authentication. Last, but not least, solution providers should look at the adoption of the PCI CPoC data security standard for solutions that enable merchants to accept contactless payments using smartphones and other commercial off-the-shelf mobile device communication.
Troy Leach: Thank you for that, Nitin. I appreciate it, recognizing that India and other parts of the world are looking at contactless payments and how that can, not only better improve their daily lives, but also some of the ways that they feel is a safer and cleaner way of doing transactions and how we can do that securely. You pointed to a PCI security standard as one of the ways you set a foundation for security to contactless. I appreciate that. What we recognize is, in this unprecedented time, we have a challenge with demonstrating that security is in place and, for that, I’ll turn the floor over to my colleague in Sao Paulo who has been working with local assessors and the payment community, as well as the rest of the PCI Council, on ways that we go about demonstrating good remote secure assessments. So, for that, Carlos, share your thoughts please.
Carlos Caetano: Thank you, Troy. So, first, PCI SSC recognized, in the current exceptional circumstances related to COVID-19, entities are asking how they can support payment security in assessment activities while also dealing with issues related to this global pandemic. So, while on-site assessments are always expected, in this unique circumstance, individual health and safety must be considered when making decisions regarding on-site assessments. So, this situation brings important considerations that I would like to discuss with you, Troy, and the audience.
So, first, on-site assessments should always be completed whenever possible. So, where those on-site assessments are temporarily not possible, assessments and entities should work together to identify which testing activities are feasible to perform remotely. That could include review of documentation, reviews of generated evidence and interviews. It’s very important to remember that the method which those remote activities will be performed must consider the security to protect the entity’s data in the communication. It’s also important to remind that remote assessments are not always possible. And, for it to happen, some principles should be respected.
So, first, remote assessment activities must not reduce or negatively impact the security of the environment being assessed; must not require the violation of the PCI standard security requirement in order to assess that environment to that standard; and must be designed and implemented in the manner intended to avoid introducing additional risk of disruption to the entity’s operation; and remote assessments must be performed with the same rigor and integrity as an on-site assessment. So, for any questions related to that, the entity should contact the payment brands or acquirer to determine any compliance impact associated with remote assessments.
That brings up the point of the documentation of the results of those remote tests and activities. So, the assessor should clearly identify within the applicable report which requirements and testing procedures were performed remotely with a defendable approach and, as in the case with the onsite assessments, maintain evidence in their work papers. It’s critically important that those entities continue to maintain and monitor the effectiveness of their security controls during this period, ensuring that all required security controls are in place and working effectively at all times. And, finally, for all to remember, Troy, we are all in this together.
Troy Leach: Absolutely. We are in this together. Lastly, but never least, is our colleague in the UK, Jeremy King. Jeremy, we have an unprecedented time of not only trying to see how we demonstrate security remotely, but we have so much of our workforce now at home trying to just do their normal daily routine and business in a safe and secure manner. So, what can you share with us, some PCI guidance, on working from home?
Jeremy King: Thank you very much, Troy. For many people, it was a rush to enable remote work to take place. This country is locked down. Going forward we need to make sure that everything is in place and up-to-date to prevent criminals from gaining access, which means focusing on those three core areas: people, process and technology.
For people, all staff should receive security awareness training. It emphasizes the importance of data security. Staff should be aware of their physical surroundings when working remotely and find a suitable location that prevents sensitive data and information from being observed. They should be aware of phishing emails and scams being used by criminals, especially in these challenging times, including criminals trying to impersonate company IT staff to obtain log-in data and credentials. Equally, IT staff must be aware of criminals trying to impersonate remote staff to gain access to passwords and systems.
Processes must be in place requiring staff, connecting to company networks and systems, to use multi-factorial authentication. As Nitin said, using passwords which are easy to remember and hard to guess or calculate, along with the use of a unique company credential, such as a token, pass code or smartcard, that provides the secure multi-factorial approval. Policies and procedures must clearly prohibit any unauthorized copying, moving, sharing or storing of payment card data in remote environments. Finally, access to system components and cardholder data must be limited to only those individuals whose job requires such access.
The use of technologies, that ensures payment data remains protected, whilst enabling remote personnel to perform their security, is also a vital consideration. This includes requiring all staff involved in payments and payment-processing to use company-provided equipment and not personal technology such as home computers. Companies must ensure that all computers are using the most up-to-date software that can be patched even while working remotely and that computers having the latest anti-virus software not only loaded but running. Finally, remote access sessions should automatically disconnect after a period of inactivity to avoid idle open connections being used by criminals. The PCI SSC have produced a number of blogs around working remotely securely as well as identifying potential scams and threats. So, do please visit our website and download these very useful blogs and infographics.
Troy Leach: Thank you, Jeremy. And in addition to everything that Mr. King and our other colleagues have mentioned, we have many different subjects that we have addressed on our website related to COVID-19 and how the payment industry is reacting to this.
In addition, we have the subject of extending the dates for the rollout of POI v.3 devices. Originally that was scheduled for April of this year. We’ve extended that by one year. We also have, now up and running again once again, our instructor-led training. We have a proctoring service that, they themselves, had to shut down and not be able to be conducting in-person proctoring. Now we have a remote service that is available for people that have been looking at getting certified to become a new assessor. We have, also on our website, several statements on COVID-19, and our perspective of what industry should be looking at as it relates to both security, and demonstration of that security, but also what these new types of approaches, as Jeremy mentioned, working from home and how we go about doing that securely.
We also have, a big concern for us, is the safety of those organizations and businesses that remain open, such as grocery stores and other type of retail and for that, we have produced some guidance on how to maintain the safety by disinfecting those POS devices securely but also in a way that prevents some of these rising attacks such as overlays and other types of card-present attacks and exploits we’re seeing in those environments.
In addition to that, there are many other pieces of information that are being updated regularly. We encourage people to go to PCISecurityStandards.org/COVID19 to find out more about what’s happening. As I mentioned, regularly being updated, almost daily, with new content as we hear from you questions and concerns about how we address the details and aspects of different standards as well as our programs and what that means for payment security going forward.
With that, I want to thank you for watching our video. We wish everyone a safe and comfortable stay at home or wherever they may be in the world. We also hope to see you again sometime in the near future but until then, please stay safe. Thank you from the PCI Security Standards Council.