Is your organisation PCI DSS-compliant during the coronavirus pandemic?

Many of us have adapted well to working from home during the coronavirus pandemic, but employees responsible for handling payment card transactions won’t have had such an easy time.

That’s because they’re required to perform their jobs in line with the PCI DSS (Payment Card Industry Data Security Standard), which contains a set of requirements on the technologies and processes that are used when handling payment card information.

The established set-up of the office has been replaced by employees’ own homes, creating an disperse compliance scope that organisations are bound to struggle with.

But short of halting payment transactions altogether, how are organisations supposed to ensure they don’t fall foul of the PCI DSS? Let’s take a look.

Adapting your hardware

The PCI DSS contains several requirements on the way organisations must secure their technologies.

For example, they must configure and install firewalls on all devices that are within the Standard’s scope and apply software updates within 30 days of their release.

Organisations will have a much easier time controlling these if employees are using work-issued devices – and not only because the appropriate software will already be installed.

Using a work laptop means you can install remote access software, enabling your IT team to check that hardware is adequately protected and help employees who are having trouble performing the necessary tasks.

But while you might be able to issue employees laptops each, you might not have the budget to for work-issued phones – which could pose a problem given how important they are when working from home.

One reason for that is that mobile phones are commonly used for 2FA (two-factor authentication) – an ideal alternative to whitelisting IP addresses.

It’s probably much too complicated to approve every home worker’s IP address – nor is it especially effective, given that another member of the household could capture information on the device.

As such, 2FA ensures that person logging on has both the correct login credentials and the phone associated with that account.

But as helpful as phones are, they can also introduce risks. For example, it might be tempting for employees to instant message each other via phone and maybe even share work information.

If you’re using a personal phone, these devices are outside the organisation’s PCI DSS scope, making such practices very risky.

It’s therefore best to avoid this practice altogether. Remind your employees of the security risks involved and urge them not to do it.

Personal Wi-Fi connections

Organisations may well end up frustrated at the lack of control they have over employees’ Wi-Fi connections.

Everything that staff do while working from home is transmitted over their routers, but because it’s not the organisation’s property, employers can’t adjust the technology to make sure it’s secure.

But organisations can issue guidance that instructs employees on the steps they can take to secure their Wi-Fi connections. For example, any employee that accesses cardholder data must ensure that their Internet connections provide strong encryption and that the routers don’t use default passwords, such as ‘admin’.

Some organisations might choose to use a VPN (virtual private network) as an extra layer of protection. It works by routing your device’s Internet connection through a private server rather than your Internet service provider.

This will mitigate certain risks, but it could introduce new ones. For example, you must make sure that employees use strong passwords and that they exercise good password practices.

That means not leaving them written down, sharing them with anyone or reusing a password from another account.

Are your employees aware of the threat?

As the panic and uncertainty of the coronavirus pandemic continues, it’s essential that everyone in your organisation understands the risks and their obligations for protecting sensitive information.

With the continued chaos, you don’t want to leave the threat of a data breach to chance – and thanks to our PCI DSS staff awareness training course, you don’t have to.

In under an hour, your employees will gain valuable into how to comply with the PCI DSS. The course provides a comprehensive introduction to the Standard and its requirements, and explains the simple steps you can take to ensure sensitive data is secured.

And because it’s delivered online, you don’t need to disrupt your new work-from-home set up. Staff can study from the comfort of their own homes, around their other work and personal commitments and without jeopardising their safety.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.