Remotely Working From Home Securely
How to Maintain PCI When Employees Work Remotely
This post contains part of the text from the SecurityMetrics Working From Home Securely Checklist.
To view the full interactive checklist, download the PDF below:
Consider Your PCI Scope
When considering a work-from-home environment, it is important that you map out the flow of cardholder data to ensure safe collection and processing.
Establish your scope by answering the following questions:
How is data being received by employees?
Over the phone
Fax
Internet communications
Once data is received, how are employees processing this data?
What devices and network segments are involved in the transmission of cardholder data?
How is cardholder data stored, processed, and transmitted?
Address Your Network
A vital step in promoting a secure environment is addressing your network and keeping an encrypted connection between home-based computers/laptops and your corporate network.
Verify with your IT that your VPN:
Watches for viruses
Monitors and logs all access
Oversees web activity
Make sure that employees:
Use only the company’s VPN and not free VPN software
Are receiving security awareness training tailored to protect the work-from-home environment
Assume that your employee’s home network/computer are not a secure option for processing payments
Continue the security stance of your CDE (Cardholder Data Environment)
Extend your CDE network via VPN connectivity or virtual desktop/Citrix solutions
Provide company-owned mobile devices that are:
Hardened
Capable of being managed remotely
Disable split tunneling in order to maintain proper network segmentation
Utilize your VoIP (Voice over Internet Protocol) endpoints, if included in your CDE
Send VoIP endpoints home with staff to use over a VPN or encrypted connection
Confirm VoIP data is encrypted when being transmitted over the internet
Keep in mind that call recordings may be in scope and must be protected
Reduce Your Risk
As you shift your sensitive data (e.g., card data environment (CDE) or personally identifiable information (PII)), you can take steps to ensure data is not more at risk than it would be if your employees were in your office.
Implement P2PE (Point-to-Point Encryption), if you are unable to extend your CDE network to remote locations
Consider different types of P2PE devices
Implement a P2PE endpoint that will keep employees’ computer and network out of your scope for your environment
Maintain Compliance
Now that you have defined your scope and understand your processes for sensitive data, you can take steps to secure your systems and maintain compliance.
Perform an annual assessment with a QSA (Qualified Security Assessor), if you are a level 1 service provider or level 1 or 2 merchant
Reach out to your QSA to:
Inform them of your proposed remote work environment
Confirm you have accounted for all security requirements
Keep your company secure while encountering significant environment changes
Verify that all relevant requirements (PCI, HIPAA, GDPR, HITRUST, etc.) have been implemented
Carry out a risk assessment
Update all documentation, including diagrams, policies, procedures and inventories
Run vulnerability scans
Perform a penetration test
Define what constitutes a significant change to your environment
Plan ahead for what steps are to be taken when a significant change to CDE occurs
Familiarize yourself with applicable policies
Keep documentation to demonstrate that policies and procedures were followed
Continue to inform remote employees of:
Data security best practices
Current policies and procedures
Specific steps they must take before beginning work from home