ICAEW.com works better with JavaScript enabled.

COVID-19: implications for payment card data security compliance

17 April 2020: the spike in home-working has forced organisations to look at how they deal with card payments and data. ICAEW’s Tech Faculty rounds up specific guidance to help maintain security practices and protect payment card data.

One major but often overlooked consequence of the sharp rise in home-working caused by the government’s coronavirus measures has been to force organisations that deal with payments by credit/debit card to review their compliance with Payment Card Industry Data Security Standards (PCI DSS). 

Based on the PCI’s updated guidance, here is a summary of the specific requirements in the standard that can help organisations with remote workers maintain security practices and protect payment card data. For a full version of this piece visit the Tech Faculty’s extended summary.

Policies and procedures 

The first step should be to remind remote/home working staff that there are security requirements related to payment card data, and these are even more relevant in the current COVID-19 crisis.

Make sure they have access to a copy of company policies and procedures relating to payment card data. These should prohibit any unauthorised copying, moving, sharing, or storing of payment card data in remote environments. Remote staff should also be aware of their physical surroundings, for example taking care to prevent sensitive information from being viewed by unauthorised persons. 

Specific risks 

Remote or home working leads to some specific risks around the protection of payment card data. These include: 
 
1. The different application of secure processes and controls for remote working environments compared to onsite. 
2. Potential phishing calls.
3. Securing systems and data located in home-worker environments. 
4. The physical environment within which an office worker or home worker is taking card payments over the telephone.

Compliance assessments

On-site assessments will not be possible in many cases due to the ongoing movement restrictions. Remote assessments may be possible, but assessors must ensure that any check they perform remotely provides the necessary level of assurance that controls are properly implemented and requirements are met before they sign off that a requirement is “in place” and complete a report on compliance. 

Conclusion 

Remote working requires those organisations and individuals for whom this is a relatively new situation to re-evaluate the security aspects of their activities. The requirements of the PCI DSS are not being relaxed and are needed more than ever. 
 
For specific PCI DSS requirements for remote working visit the Tech Faculty’s extended summary.
 
The material in this article has, in the main, been collated from documentation publicly available on the PCI SCC website. We recommend reviewing this website regularly to keep updated on any changes made to the standard or their guidance over the coming weeks and months.