While many organizations have spent significant time and money implementing secure solutions to minimize their PCI scope and maximize the security of cardholder data for their environments, COVID-19 has had an impact on those solutions. Organizations have had to provision laptops en masse to users previously in the office, allow remote access that did not previously exist to payment processing applications, permit employees to set up their own offices at home, etc. It is important to remember that security involves people, processes, and technology.
As business as usual changes, it is important to educate and reinforce security awareness training among employees and introduce them to new security considerations in a work from home environment. This may also involve re-engineering processes to enhance security. Some key controls to keep in mind include:
– Employees should never store cardholder data locally on their machines.
– Newly provisioned systems must be appropriately hardened and include host-based firewalls to protect the machines from home networks.
– Multi-factor authentication must be implemented for remote users with access to the CDE.
– If new call routing solutions are being leveraged, be cognizant of the call recording process and the compliance of the call infrastructure.
– Remote access connections must be configured to timeout periodically.
– Clean desk policies should be carried on at home and work spaces for handling sensitive information separated from the household.
For more information or questions on working remotely or PCI DSS, contact us today!