The COVID-19 pandemic has had a significant impact on maintaining PCI compliance in a “business as usual” fashion for many organizations.  As businesses transition to support remote work, take other measures to remain operational, and complete assessments on time in the face of COVID-related restrictions, it is important to ensure these alternative work arrangements do not affect an organization's Payment Card Industry Data Security Standard (PCI DSS) compliance status.

In many cases, the Payment Card Industry Security Standards Council (PCI SSC) has provided explicit guidance regarding how to maintain compliance in these unique situations. This article is designed to help you navigate the implications and stay PCI compliant during the COVID-19 pandemic.

How COVID-19 Can Impact PCI DSS
Compliance

The COVID-19 pandemic has forced organizations to close physical locations and rapidly shift their business operations to a remote model, often without sufficient warning and preparation. However, despite these changes, it is essential that organizations properly protect the cardholder data entrusted to them.

1. Processing Payments Remotely

During the COVID-19 outbreak, many organizations are transitioning workers to a work-from-home model. This shift in workforce location can have impacts on PCI DSS compliance if customer payment card data is being processed outside of the business’ network.

One potential concern with the work-from-home model is when organizations use payment card processing devices that will be moving from a secure office environment to a home setting. In these cases, compliance is based on the effect that this transition has on how the device operates, stores, and processes data.

For example, some organizations process payments using devices that rely solely on cellular networks for communications, with no connectivity to local wireless networks. If this is the case, relocation of these devices for home use from office environments should not impact PCI DSS compliance during the COVID-19 outbreak.

Since these devices are being removed from secure storage locations in office environments, maintaining PCI compliance requires they receive equivalent physical security protections while in transit and being deployed in home office environments.

2. Securing Your Remote Workforce

The PCI DSS requirements explicitly consider the possibility that employees will be working from home. Businesses transitioning to a mostly or wholly remote workforce should do the following:

  1. Use multi-factor authentication (MFA) solution
  2. Enforce a strong password policy
  3. Restrict physical access to media containing payment card data
  4. Securely store and destroy any physical documents containing payment card data
  5. Restrict employees to use of company-owned devices with the following controls in place:
    • Personal firewall installed and operational
    • The latest version of the corporate antivirus is installed and regularly scanning
    • All most recent security patches installed
    • Configuration restricting users from bypassing security controls
    • Unnecessary applications disabled or removed
    • Use of only secure and encrypted communications, such as a VPN
  6. Ensure that remote workers’ network setups are secured in accordance with PCI DSS requirements
  7. Limit access to cardholder data and the cardholder data environment (CDE) based on job responsibilities
  8. Automatically time out idle sessions after a certain period of inactivity
  9. Implement an incident response plan including coverage for remote workers

Many of these requirements are simple to implement and may already be in place as part of remote work agreements. If this is not the case, implementing them is essential before allowing remote workers to access and process cardholder data.

3. Adhering to PCI Guidance for ROCs

Every Level 1 merchant and service provider is required to complete an annual Report on Compliance (ROC). This involves an assessment by a Qualified Security Assessor (QSA) that determines if the organization’s security controls are in compliance with the requirements of the PCI DSS.

For those companies whose timing for their annual assessment has fallen during the COVID-19 pandemic, bringing security assessors on-site may be difficult or impossible.

The PCI SSC already had guidance in place for performing remote ROC assessments. This requires the QSA to be able to defend the need for a remote assessment, how the remote testing provided an equivalent level of assurance as onsite testing, and that the results are accurate.

In consideration of the COVID-19 outbreak, the council has recently released specific guidance for dealing with the pandemic: For those parts of the ROC assessment that cannot realistically be performed remotely, it is recommended that the primary QSA engages with an approved local subcontractor or delay certain types of tests until the situation improves.

Getting Help with Maintaining PCI Compliance During the Pandemic

The PCI SSC has established a webpage for all Covid-19 related updates that you can access here.

Avertium’s QSA’s are here to help you show no weakness and stay PCI compliant during and beyond the COVID-19 pandemic. Don’t just comply. Show No Weakness with Avertium’s PCI DSS Compliance Consulting Services.