America is reopening as states announce relaxed restrictions related to the coronavirus. During this time, businesses that handle credit cards must keep their eye on remaining PCI compliant reopening following COVID-19.
There are three main payment channels for PCI compliance; call centers, e-commerce, and retail shops. All three have considerations for returning to normal operations as business segments re-open. This article explores each area and related factors to take into account.
Many businesses with call centers and customer service centers handling credit card information transitioned to home-based work locations during the pandemic. Now they are grappling with how to return their workforce back to a secure office environment. Unwinding measures implemented to facilitate remote work are best accomplished with a measured approach to support PCI compliance.
Related Reading: Restaurants, Be Aware of PCI DSS Requirement 3.2 During COVID-19
New business norms are being established to allow for a safe return. Some capabilities may remain as part of the new work to support updated procedures and social distancing. Ensure network capabilities and other technology are robust and secure to support the return to the business. Considerations for the new workplace distancing and changes returning from the remote work environment include:
Ensure employees laid off or terminated during the pandemic have been properly disabled in the MDM console. To protect sensitive information and client relationships, validate that registered devices are wiped so no email, company contacts, or other company information remains.
When transitioning employees back to the office, brief security awareness training is recommended. Include topics such as:
Servers hosting e-commerce sites need to be current on all vendor patching. Reopening businesses and offices is a good time to review all patching updates and apply patches in order of criticality.
Related Reading: 3 Ways to Stay PCI Compliant During the COVID-19 Pandemic
Encryption certificates should be reviewed to verify they are current, and the encryption key custodians need to be updated as well as the security of all encryption keys.
Access should be reviewed to verify all privileged users are current and non-privileged users have the correct access. This includes:
As retail locations open, credit card payments (swipe, dip, and contactless) will be in full swing. To prepare your credit card payment systems prior to opening:
As the pandemic spread, organizations may have adopted ad-hoc capabilities to support remote work. Returning to the normal business environment should follow change management procedures with all changes impacting the credit card environment fully documented and approved by management.
When any change is made to the PCI network, it is important to use your change management ticketing system. Recording changes and authorization tracks the what, why and who made the changes to monitor the security of the credit card environment.
For all environments, the return to work is a good time to have all employee passwords updated. Be certain they use the proper policy requirements for creating secure passwords. One recommended practice is to use a passphrase. Also, be certain to educate your workforce about not using the same password for all systems.
It is always easier to add access to your system than it is to try to track down any inappropriate access; being proactive ensures security is up to date and that your enterprise shows no weakness. This will help you to stay PCI compliant while reopening following COVID-19.
Don’t just comply. Show No Weakness with Avertium’s PCI Compliance Consulting Services.