Every American has been impacted by the COVID-19 outbreak in some way, shape, or form in the last few weeks. Most notably, with local and state governments urging or mandating their residents to stay home, organizations all over the country are shifting to remote work to keep the doors open.
On the one hand, it’s fantastic that our technological advances have allowed many employees to work from anywhere. On the other hand, remote work is not without challenges—particularly as it relates to information security.
Organizations that take credit card information face even greater information security difficulty.
It may seem obvious, but your security requirements for payment card information aren’t isolated within the four walls of your office. If it’s necessary that employees process card transactions while they work remotely, it’s also necessary that those employees adhere to the PCI guidelines as well as security best practices. Otherwise, the companies they represent may face fines and (worse yet) people’s financial information may be compromised because of the employee’s noncompliance.
So, as we shift our employees to remote and home offices, here are the payment card processing things we need to consider, monitor, and adhere to:
Review the Organization’s PCI Scope
Ensuring that PCI compliance is attained and maintained is incredibly difficult without a firm understanding of what is in and out of scope. If a scope has not been created, this would be a good time.
Review the Various Payment Channels
Card-in-Hand
- This will largely not be affected as many organizations likely do not have customers visiting employee home offices.
Mail Order/Telephone Order (MOTO)
- This one likely presents the largest challenge:
- The home needs to have an appropriate shredder for any card data that is mailed to or otherwise shows up at the home office.
- How does the employee process the card data that they receive?
- Is the information entered into a P2PE or E2EE device?
- Due to the encryption features, there is largely no change.
- Check with the acquiring bank to confirm.
- Document which devices go to which home offices and ensure that they continue to receive the same governance as if they were in the office.
- Is the information entered into a phone-line-connected device?
- Follow the guidelines and requirements from SAQ-B.
- Due to the phone-line connectivity, there is largely no change.
- Check with the acquiring bank to confirm.
- As with the P2PE/E2EE option above, document which devices go to which home offices and ensure that they continue to receive the same governance as if they were in the office.
- Is the information entered into a network-connected non-encrypting device?
- This requires PCI-level control over the network to which the device is connected.
- Send a preconfigured firewall home with the employee.
- The employee must connect the card reader device to the firewall and then connect the firewall to their home firewall.
- This is more complex, but it can give the organization control over the network to which the device is connected.
- The firewall will need to ensure that log data is sent back to a central repository to continue the organization’s incident detection and response capabilities.
- This requires PCI-level control over the network to which the device is connected.
- Is the information entered into a web-based payment portal?
- This requires PCI-level control over the network to which the computer is connected, and the computer used to access the payment portal.
- Send a preconfigured firewall and computer home with the employee.
- The employee must connect the computer to the firewall and then connect the firewall to their home firewall.
- This is much more complex, but it can give the organization control over the network and computer.
- The firewall and computer will need to ensure that log data is sent back to a central repository to continue the organization’s incident detection and response capabilities.
- This requires PCI-level control over the network to which the computer is connected, and the computer used to access the payment portal.
- Is the information entered into an application installed on their workstation in the office?
- This requires PCI-level control over the network to which the computer is connected, and the computer that runs the payment application.
- Send a preconfigured firewall and computer home with the employee.
- The employee must connect the computer to the firewall and then connect the firewall to their home firewall.
- This is much more complex, but it can give the organization control over the network and computer.
- The firewall and computer will need to ensure that log data is sent back to a central repository to continue the organization’s incident detection and response capabilities.
- The computer will need to be configured in a way that allows the organization to identify vulnerabilities proactively.
- This requires PCI-level control over the network to which the computer is connected, and the computer that runs the payment application.
- Is the information entered into a P2PE or E2EE device?
Ecommerce
- This will be largely unaffected as the location of the web servers will not change. However, the method of managing web servers may change.
- This is a remote-access scenario where the PCI council is largely concerned about securing the connection into the webserver environment.
- Follow the segmentation guidance that the PCI council released.
- Create a jump-box network and limit access between the CDE, jump-box network, and the internet accordingly.
Communicate the Payment Card Requirements to the Staff
Most staff are unaware of the nuances in remote office security that can introduce large security risks to your business. It’s critical to give them extra guidance and instruction in this new workflow:
- An internal video is a fairly uninvolved yet effective way of walking staff through the changes and risks that must be addressed. Five to ten minutes can really go a long way in keeping all of your employees on the same page about payment card security.
- Attackers will take advantage of this situation, and one of the simplest ways to protect your business from them is to create awareness among your staff. Any additional security education that can be made available as we begin to recognize the attacks that are formulating will help your staff recognize (and hopefully avoid) scams.
- The PCI council has released some information that may be helpful as you look to increase awareness.
- Ask for feedback from your staff. If they are able to tell you if they interact with cardholder data in any other fashion, it will provide the organization valuable insight into a potentially overlooked process. If the employee has any ability to see card data from their home office/computer, then the organization must ensure that appropriate controls are in place and effective.
Document Everything You Can
The only certain thing is uncertainty right now. Because of this, all companies need to be documenting their changes regarding payment card security and their new environments.
Effectively, we either need to know what to do in the event another unexpected change occurs, or we need to be able to return to our normal state of business after this all clears up. Both require documentation.
Whether the person in charge of these changes can’t work, they end up leaving the company, or something else, the next person in line needs to understand how to handle the tasks at hand. If the person creating these solutions leaves the company, it will be a nightmare to figure out what has been set up for people and where equipment has been supplied.
If and when the outbreak diminishes to the point we are able to return to our offices, the changes we made will no longer apply. We need to know how to revert our changes to a state that makes the most sense for our office environments. Basically, you need to know what you changed when you moved remote so you can undo it later. If you are working too fast to document, you are working too fast.
Closing
Despite our technological advances allowing many employees to work from anywhere throughout required times of isolation, remote work is not without information security challenges.
Accepting payment card information at an employee’s home on behalf of the business is not something many of us are accustomed to. However, reviewing the PCI scope of your business, reviewing the payment channels that exist in your current environment, communicating new requirements (and reiterating the unchanged ones), and documenting any changes you make will keep you moving in the right direction.
As we look to both comply with PCI requirements and protect the sensitive financial information we are entrusted with, it’s important that we stay nimble with our security practices as we continue to adapt to this new normal.
For assistance with payment card security, adapting to your new remote environment, or any other topics relating to information security, reach out to us at frsecure.com.