In order to protect the health of employees from the coronavirus (COVID-19) pandemic and to minimize the risk of financial losses due to productivity concerns, many companies are making plans to allow for employees to work from home. If your company is looking into remote work options that would affect your cardholder data environment here are some considerations to keep in mind.
PCI DSS requires that companies continuously maintain their PCI DSS compliance status. If significant changes are made to your cardholder data environment, it is important that you review how these changes affect your compliance status and that all applicable PCI DSS controls are in place to secure this sensitive customer data.
Define the Scope of the Remote Work CDE
When considering a work-from-home implementation where employees will be collecting or processing cardholder data, begin by mapping out the flow of cardholder data. How is data being received by the employees (over the phone, fax, Internet communications, etc.)? Once this data is received, how are employees processing the data? What devices and network segments are involved in the transmission of cardholder data? Realize that any system involved in the storage, processing, or transmission of cardholder data is in-scope for your environment as is any system that can affect the security of these devices.
For guidance on how to perform a scoping exercise, review the PCI SSC’s scoping guide.
Extending the Existing CDE
Many organizations will already have an existing CDE with mature controls designed to protect customer data. When considering a work-from-home scenario, attempt to leverage your existing CDE.
Assume that your employee’s home network and computer are not a secure option for processing payments. You can maintain the security stance of your CDE by extending your CDE network via VPN connectivity and providing company-owned mobile devices that have been hardened and can be managed remotely. Also, keep in mind that split tunneling should be disabled in order to maintain proper network segmentation.
Most enterprise phone deployments have moved to Voice over IP (VoIP). VoIP offers great flexibility that can also be leveraged in a work-from-home scenario. If your CDE includes telephone-order options, send VoIP endpoints home with your employees that will extend your VoIP system over an encrypted connection (such as a VPN).
When implementing a work-from-home scenario that will include telephone-order transactions ensure that VoIP data is encrypted when being transmitted over the Internet and keep in mind that any call recordings would be in scope and must be protected.
For more information on protecting voice communications see the PCI SSC’s guidance onProtecting Telephone-based Payment Card Data.
Risk Reduction Strategies for a PCI-Compliant Remote Workforce
If you are unable to extend your CDE network to remote locations, implementing P2PE may be a good option to reduce both the cost of compliance and the risk to your customer’s payment data. There are a variety of P2PE devices that can be used to input cardholder data. Some of these devices are standalone terminals while others can be used as a USB connected keypad. Implementing a P2PE endpoint may allow you to keep the employees computer and network out of scope for your environment.
Effect on Annual Compliance Assessment
Many may wonder how such a change will affect the company’s annual PCI DSS assessment. If you are a level 1 service provider or level 1 or level 2 merchant, you are likely performing an annual assessment with a QSA. If this is the case, be sure to reach out to your QSA and inform them about your proposed remote work environment to ensure that you’ve accounted for all security requirements that will need to be validated during the annual assessment.
Also keep in mind that the PCI DSS requires that upon significant changes to the environment an organization must verify that all relevant PCI DSS requirements have been implemented within the new environment and all documentation (policies, procedures, inventories, etc.) has been updated (see Requirement 6.4.6)
PCI DSS also requires that vulnerability scanning (Requirement 11.2), penetration testing (Requirement 11.3), and risk assessments (Requirement 12.2) be performed after a significant change to the CDE.
Your organization should define what constitutes a significant change and what steps need to be taken when a significant change to the CDE is made. Be sure you are familiar with your applicable policies and keep documentation that can be shown during your assessment to validate that policies and procedures were followed.
As a result of COVID-related lockdowns and related travel restrictions, many PCI assessments are being conducted remotely over video conferencing solutions. If your organization will be assessed remotely, the need to collect and provide accurate documentation (e.g., diagrams, configuration exports, screenshots) leading up to your remote assessment will be more important than ever. Begin working with your QSA early to determine what documentation will need to be provided and how your organization can best support a remote assessment. Keep in mind that the ability to perform remote assessments is likely a temporary accommodation from the PCI SSC.
Michael Simpson (QSA, CISSP, CCNP) is a Principal Security Analyst at SecurityMetrics and has been in the IT Security industry for over 15 years. He has a Bachelor of Science in Computer Science and a Masters in Business Administration.