With the number of businesses working remotely during the coronavirus outbreak continuing to rise amid government social distancing and isolation guidance, it is predicted that over half of U.S (75 million) and UK employees will be working from home before the COVID-19 crisis is over alone. With a globally growing remote workforce, maintaining business operations amid the chaos, along with increased online sales, has opened up even more potential challenges for those handling sensitive customer payment card data. We know that the two main concerns, particularly for ISA’s, will be adhering to PCI DSS standards of compliance and staying up to date with Compliance Assessments; as such we thought we would delve a little deeper and share some considerations on the blog today.
As covered in our previous article, home working is undoubtedly having an impact on organizational security, particularly as remote workforces may be utilizing devices and routers that aren’t necessarily the most secure options for processing or storing sensitive data. In fact, you have to assume that this is the case when scoping out security vulnerabilities and risks, as cyber attackers will clearly look to capitalize on any opportunity. This is why it’s more important than ever to revisit PCI DSS compliance throughout the course of this transition period.
Recognize ‘changes in environment’ and put all applicable controls in place
Organizations are responsible for maintaining overall compliance status and if there is a significant change to the cardholder data environment, you’ll need to review how this will impact your compliance standard (if at all), and that all applicable controls to secure your customers’ sensitive data are in place. It is the responsibility of each organization to define what a ‘significant’ change would be, however if a large majority of your workforce has been migrated to home working, it’s almost safe to assume that this would fall into the ‘significant’ category. Naturally with this evolution, considerations have to be taken into account to ensure your organization is keeping up with your Compliance Assessments during this time. Therefore, this changeover should involve an analysis of how the PCI DSS requirements have been impacted and any processes, documents or more that will need to be updated to reflect this evolving working dynamic to achieve compliance.
Staying strategic and scoping out remote working environments
Many businesses may opt to start with a knowledge-based approach through a security awareness programme, ensuring that their team are properly trained in cyber security policies and procedures. However, as an organization, you should also look to evaluate the wider risks of home working including mapping the flow of data (here’s the PCI SSC scoping guide should you need to refer to it), how data and payments can be processed securely, as well as securing a process that will ensure that data is not accessible to unauthorized users - a particular consideration if multiple members of the household are working remotely from the same router. We know that a multi-factor authentication process can prove pivotal, and some may also look to implement point to point encryption devices to prevent hacking and fraud, particularly when introducing company-owned devices that can be managed remotely. Regardless of your chosen approach, it should work in line with your current cyber defence strategy, leveraging your existing knowledge around vulnerability and risk, ensuring your current policies are not left forgotten. After all, consistency is key and this is particularly true for assessment purposes as well as report writing. While Compliance Assessments may now also be carried out remotely for safety purposes, official guidelines state that evidence supplied must be at least the same levels of assurance as is the case for onsite assessments and that integrity cannot be compromised.
We understand that in the coming weeks, many organizations and teams will be facing similar challenges when it comes to PCI DSS compliance and will be reviewing their criteria and operations to ensure they’re meeting assessment standards, but there are products/ solutions available to aid this process, including Titania Nipper. This is why we’ve recently put together a webinar which covers remote auditing with Titania Nipper, focusing on identifying vulnerabilities within your firewalls, switches and routers specifically for those working from home. Click here to access the webinar or book a demo.