Andrew Linn is a Principal Consultant for Security Risk Management (SRM)
With the world in a state of economic upheaval as a result of the Covid-19 pandemic, why should business leaders be allocating time and resource to PCI DSS compliance? Well, it may sound trite, but in times of crisis we are advised to focus on those things that are within our control; not use up energy fretting about the things we can’t.
So, while certainty remains elusive and the global economy reels from the impact of the Coronavirus, focusing on what can be done to safeguard organisations is the best use of resources in these difficult times. PCI Data Security Standard (DSS) compliance is something that, if achieved and maintained, will make a tangible difference to safeguarding the future viability of every business, whatever the future may hold.
But don’t stop reading because you have already achieved PCI DSS compliance, even if you have just recently passed the PCI DSS compliance audit. There are important things to be aware of which will make a difference to your organisation’s ability to cope with the data security implications of remote working.
In recent weeks there has been a seismic change in the way businesses operate. In particular, there has been a huge increase in the remote-working model over the months of February, March and April. In a normal world, this transition would have taken months or even years to complete, but businesses have had to force through remote-working in a matter of days. Yet, staff working from home for the first time need to be fully informed about the organisation’s policies and processes for the protection of data, in particular the required restrictions around the unauthorised copying, moving, sharing or storing of payment card data in remote environments.
They also need to be aware of how to protect sensitive information. Failure to do this could leave an organisation vulnerable and there is evidence that cyber criminals are capitalising on these opportunities. It is the perfect storm for them: with huge opportunities, particularly where they can identify inadequately protected computers or lax authentication practices. Action Fraud reported a new trend in fraud related to Coronavirus which saw nearly £970,000 of losses between 1st February and the end of March; an increase of 400 per cent.
Office-based systems may be relatively secure, but there are additional risks associated with remote working when processing payment card data in unsecured locations. The steps required to ensure secure controls and processes will therefore differ in key areas between onsite and remote access systems. PCI DSS compliance includes clear security requirements that set out to protect remote workers and their environments.
A key aspect is the need to restrict access to those who actually need to operate within the cardholder data environment (CDE). PCI DSS compliance also incorporates stipulations for remote workers including multi-factor authentication, strong passwords and systems to identify genuine employees. Only devices provided by the business should be used for card data with the installation of up-to-date patches, anti-malware and firewalls. There are also precautionary measures to reduce the attack surface of computers and laptops in addition to procedures for detecting and responding to phishing attacks and potential data breaches.
An essential element of PCI DSS compliance is an Incident Response plan which should be regularly updated. This should include all key people and their correct contact details, including where they are working from. If this is not up to date, it requires changing as this is a crucial step to ensure ongoing compliance.
Provided with the correct training and awareness, there is no reason why the remote working model cannot be as secure as the onsite model. In this compressed timeframe, it does, however, require strong leadership and clear communication to ensure that policies are understood and followed at all times.
A word of caution, however. PCI DSS compliance is an ongoing process. It is like a car MOT, valid at the time that the audit is completed. If anything changes, the car may no longer be roadworthy. It is the same for PCI DSS compliance: if changes are made to a system and any such changes don’t follow the policy, process and procedures that have been audited, then the PCI DSS compliance may not safeguard an organisation from threats. Where remote working is not already integrated into existing business practices, then this introduces a change which presents a high degree of risk. It’s more important than ever that PCI DSS compliance is not only achieved, but maintained.
Those who are due to be audited in the near future can still be assessed for compliance. While COVID-19 does present a number of challenges to traditional on-site observations and activities, remote assessments can be carried out in most situations and remain as rigorous as the standard process. Professional advice is recommended for anyone unsure of what is required for these assessments.
The PCI Security Standards Council (SSC) has said: ‘All organisations should evaluate the additional risk associated with processing payment data in the unsecured locations and implement controls accordingly.’ It remains as important as ever that organisations demonstrate ongoing compliance over the coming weeks and months. Not only will this stand businesses in good stead with the PCI SSC, their customers and acquiring bank, it will help them to defend their organisation from a potentially damaging breach.
