Implications of COVID-19 on PCI DSS compliance
This article is to help ICAEW members and their clients with questions they may have on PCI DSS compliance (Payment Card Industry Data Security Standard).
The material in this article has, in the main, been collated from documentation publicly available on the PCI SCC website. We recommend reviewing their website on a regular basis in order to keep updated on any changes made to the standard or their guidance over the coming weeks and months.
COVID-19 has substantially changed the working environment. Home working has been mandated by the UK Government wherever possible. One of the major implications of this is where organisations deal with payments by credit/debit card and are required to comply with the Payment Card Industry Data Security Standards [PCI DSS].
Although there have been specific (PCI DSS) requirements relating to remote working for a long time, the importance of these requirements is now coming to the fore. The specific requirements in the Standard that can help remote workers are listed below.
Policies and Procedures
To ensure compliance with policies and procedures, remote/home working staff may need to be reminded of the security requirements related to payment card data. These requirements are even more relevant in the current COVID-19 situation.
Policies and procedures should clearly prohibit any unauthorized copying, moving, sharing, or storing of payment card data in remote environments.
Remote staff additionally should also be aware of their physical surroundings, for example taking care to prevent sensitive information from being viewed by unauthorized persons.
Remote/home working leads to some specific risks. These include:
- The different application of secure processes and controls for remote environments compared to onsite environments. For example, verifying the identify of a user calling IT for support could involve different steps than when the user and IT department are onsite at the same location. Additionally, for companies operating their own service desks the majority would work by an email request, with the IT member raising a ticket or using a self-raise ticket system. Confirmation of the origin of the emails should be obtained.
- Potential phishing calls. IT departments/staff should be prepared to identify rogue calls from people claiming to be remote users, and there should be a process for staff to confirm their identity when calling IT support remotely. Similarly, remote staff should know how to confirm that a person who phones claiming to be from IT support is legitimate before providing any information.
- Securing systems and data located in home-worker environments. This can be challenging and difficult to enforce. However, by limiting exposure of payment data in systems, scope and validation are simplified, reducing the chance of being a target for criminals. Examples of recommendations for remote workers include:
- Require all personnel to use only company-approved hardware devices, e.g. mobile phones, telephone handsets, laptops, desktops, and systems. This is especially relevant to remote/at-home working, ensuring that the entity can maintain control of systems and technology supporting the processing of telephone-based payment card data
- Ensure that all desktop/terminals, in remote/at-home working environments:
- Have personal firewalls installed and operational.
- Have the latest version of the approved virus-protection software and definition files.
- Have the latest approved security patches installed.
- Are configured to prevent users from disabling security controls.
- The physical environment within which an office worker or home worker is taking card payments over the telephone. This should be effectively monitored and access controlled. Examples of required controls include:
- Ensuring that at-home/remote workers use a multi-factor authentication process when connecting to the telephone environment or to any systems that process account data.
- Restricting physical access to media containing payment card data, such as call or screen recordings, as well as networking/communications hardware.
- If account data is ever written or printed on paper, ensuring it is securely stored, then shredded when no longer needed. If any part of the telephone environment is outsourced to a third-party service provider, both the entity and service provider should clearly understand their responsibilities for securing their respective systems, processes, and personnel, and document accordingly.
A Note about Compliance AssessmentsOn-site assessments will not be possible in many cases. Remote assessments may be possible but assessors must ensure that any validation they perform remotely provides the necessary level of assurance that the controls are properly implemented and requirements are met before they sign off that a requirement is “in place” and complete a report on compliance.
Additionally, assessor companies may also consider engaging qualified local assessor resources to assist. For example, for a PCI DSS assessment, if the primary Qualified Security Assessor (QSA) is unable to travel to the onsite location due to health concerns, they may engage an approved subcontractor to perform onsite aspects of the assessment in accordance with the QSA program requirements (provided this is in line with latest government COVID-19 advice about going to work).
All measures should be taken to ensure the results of a remote assessment are commensurate with those resulting from an onsite assessment; it may therefore take longer to conduct the assessment remotely. Additionally, certain types of tests can only be done in-person and completion delays may be unavoidable. All questions about how completion of an assessment may impact compliance should be addressed to the entity’s acquirer or the applicable payment brands.
Remote working requires those organisations and individuals for whom this is a relatively new situation to re-evaluate the security aspects of their activities. The requirements of the PCI DSS are not being relaxed, and, in fact, are needed more than ever.
Specific PCI DSS requirements for Remote Working
- Use multi-factor authentication for all remote network access originating from outside the company’s network;
- Where passwords are used, enforce a strong password policy and don’t allow the use of shared passwords. Educate personnel on the importance of protecting their passwords and other authentication credentials from unauthorized access.
- Ensure all systems used by staff working remotely have up-to-date patches, anti-malware protection, and firewall functionality to protect from internet-based threats.
- Uninstall or disable applications and software that are not needed to reduce the attack surface of computers and laptops.
- Implement access controls to ensure that only individuals whose job requires access to the cardholder data environment (CDE) or cardholder data have access to those resources.
- Use only secure, encrypted communications—e.g., a properly configured VPN—to protect all transmissions to/from the remote device that contain sensitive information, such as cardholder data.
- Automatically disconnect remote access sessions after a period of inactivity, to avoid idle, open connections being used for unauthorized access.
- Limit access to system components and cardholder data to only those individuals whose job requires such access.
- Ensure incident response plans are up to date and include accurate contact details for key personnel. Procedures for detecting and responding to a potential data breach could be different for incidents originating from remote work environments.
This article is brought to you by the ICAEW Tech Faculty. Tech Faculty membership gives you access to exclusive premium content including our regular magazine, webinars, and extensive online resources focused on technical skills to support your career. For more information about faculty membership and our latest joining offers, please visit icaew.com/jointechfac