PCI DSS Compliance For Remote Access During COVID-19 Pandemic

Published on : 14 Aug 2020


pci dss compliance

As the COVID-19 pandemic continues to spread across the world, companies have embraced the new way of business operations. This includes allowing employees and stakeholders to work remotely. With new government-mandated regulations and restrictions on the movement of individuals, has widely encouraged businesses to adopt remote working models. While this move has helped control the spread of pandemic situations largely, it has however led to a surge in cybercrimes like data breach/theft.

With cybersecurity issues growing drastically, the PCI Security Standards Council was quick to recognize the crisis situation and the extraordinary circumstances that companies around the world are facing. To address the severity of the situation, PCI SSC issued a guideline detailing guidance for remote work. The issued guide stresses the need to maintain security practices to protect payment card data. However, it is important to note that the issued guidelines are designed for this specific situation of remote work and do not in any way replace the existing PCI DSS requirements. It is only meant to support companies that meet compliance while their employees work from home. Let us today understand more about the guidelines suggested by PCI SSC and learn more about necessary preventive measures to be taken during such a situation

How does the PCI Data Security Standard (PCI DSS) support secure remote working? 

As per PCI SSC, one of the best ways to guarantee continued compliance is by maintaining a strong security culture within the organization. Establishing a security culture does not just help deal with challenges faced during the COVID-19 situation but even beyond such a crisis, during such a similar unforeseen situation in the future. PCI SSC has provided several security requirements that should be implemented to protect remote workers and their environments. Here is what the guidelines include-

  • Use multi-factor authentication for all remote network access originating from outside the company’s network. 
  • Enforce a strong password policy and do not allow the use of shared passwords. Additionally, employees should be educated about the importance of protecting passwords and other authentication credentials from unauthorized persons.  
  • Ensure all systems used by staff have up-to-date patches, anti-malware protection, and firewall functionality in place to protect from internet-based threats. 
  • Uninstall or disable applications and software that may not be used, to reduce the risk of threat or attack from such sources. 
  • Implement access controls to ensure that only individuals who are authorized have access to the cardholder data environment (CDE) or those resources. 
  • Have in place an appropriately configured VPN to protect all transmissions to/from the remote device that contains sensitive information. 
  • Automatically disconnect remote access sessions after a period of inactivity, to avoid idle, open connections accessed by unauthorized persons.  
  • Limit access to system components and cardholder data to only authorized individuals.   
  • Ensure your organization has in place appropriate incident response plans to deal with unforeseen situations. However, it is important to note that the procedures for detecting and responding to a potential data breach from remote work environments could be different from on-site locations.
See also  PCI DSS Requirement 10 - Changes from v3.2.1 to v4.0 Explained

VISTA InfoSec’s Advice on taking preventive measures for data theft/breach during COVID-19 situation

The best way to secure confidential data and prevent incidents of a breach is by building strong security policies and procedures and having security awareness programs in place within the organization. This will not only help organizations deal with unforeseen situations but also prevent incidents that may impact business operations. To prevent falling prey to cybersecurity crimes here are some measures we suggest organizations implement to safeguard their work environment and business data.

Security awareness programs

It goes without saying that, having in place necessary security awareness programs will go a long way in protecting confidential data and prevent security breaches. Moreover, the security-awareness program helps keep employees well informed about the potential threat or risk they may encounter in an unprotected environment. Besides it also helps the employees understand the importance of data security and compliance. Having said that, companies that were PCI DSS compliant prior to this crisis will already have such a program in place. However, such programs may require some alterations in the case of addressing remote work challenges.  They would need to probably educate employees about the potential risks from a remote work from the home environment. Organizations will have to look for ways to ensure the continued security of systems, processes, and equipment supporting the processing of payment card data.

Disaster or incident response program

While situations and nature of breach may definitely differ in a work remotely model, but it is equally essential and relevant for having a separate or altered disaster management program in place for a remote work environment.  The organizations should have in place necessary deployable actions to deal with a situation of theft/breach. So, in an unforeseen event organization will be in a better position to recover and deal with the incident if they have appropriate measures in place.

See also  PCI DSS vs GDPR: A Comparison of Data Security Standards

Monitoring process & Access

Situations are very different for both organizations and employees working from home. Keeping a tab on employees adhering to security protocols is indeed a challenge for organizations. Companies must effectively monitor employees working remotely and processing card payments. Organizations should have in place measures that ensure controlled access. Have in place a multi-factor authentication process to ensure that no unauthorized person gets access cardholder payment data or account data. Deploy necessary software or tools like Data Loss Prevention to secure and control data transfer. Tools like this allow companies to monitor transfer or credit card information and block their transfer through insecure exit points such as file-sharing services or instant messaging applications that employees may use while working remotely. Organizations must also ensure that their employees destroy or shred any important or sensitive information document if no longer required or store them securely under a lock.

Also Read Article :- Key elements to consider in a PCI DSS Card Data Discovery Process

Company approved hardware

Employees should only use company-approved hardware for work which includes laptops, phones, hard disks, drives, or USBs. This is one way an organization can maintain control of systems and the technology supporting payment processing. Organizations can deploy DPL tools to ensure that no unauthorized devices are connected to work computers. Deploying such tools will limit unauthorized access but also block USB and peripheral ports. We also recommend organizations update their employee’s laptops with updated firewalls, antivirus solutions, and necessary security patches. The security controls deployed should be configured in such a way that users cannot disable them by any means.

See also  QSA in PCI DSS Compliance & Audit

Conclusion

VISTA InfoSec has been serving clients in the industry for nearly 16 years. So, knowing the in’s out of information security, we can help our clients maintain compliance even during a situation of crisis. Our expert advisors have the capability to assist companies prevent or even deal with the situation of breach/theft. So if you are looking for expert advice to deal with the current challenges of COVID-19 situation, do drop us a mail on askus[@]vistainfosec.com. For more details about our company and our InfoSec Solution offerings do visit our website www.vistainfosec.com

 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.