Organizations are facing a lot of change with remote work set ups – in both physical location and operational shifts. Especially challenged are businesses that manage credit card information electronically and over the phone. These new working conditions unearth new risks for sensitive data. Social distancing can also bring about more social engineering attempts. According to the U.S. Secret Service, social engineering/phishing is a very common online attack right now.*
As workers adapt to their new normal, they need updated guidance on new protocols. PCI SSC suggest a review of key areas to protect payment card data. Below is a quick look at PCI’s recommended controls.
|Ensure workers understand the latest best practices, where to go, who to contact for various security scenarios.||Update the workflow for remote staff – how is data to be managed? Take a look at how workers communicate with customers – online and telephone? How should data be handled with each type of device?||Require only company-authorized set-ups, systems, and devices for business processes.|
|Update your Security Awareness Program and Policies & Procedures. |
If a third-party provider services your telephone or network, they should also be incorporated in awareness and policies training.
|Use Multi-Factor Authentication (MFA) for systems with account data; Secure storage of physical data documentation and destruction when its purpose is complete – screen recordings, printed materials, etc. |
A best practice strategy for continued reasonable security is to conduct a risk assessment on your inventory of security controls. Reasonable security as required by regulators incorporates a company’s mission, objective, and obligation. A balanced security strategy can be defined with the Duty of Care Risk Analysis (DoCRA) standard.
|Systems should have personal firewalls, the latest virus-protection software and patches installed. |
Additionally, configure the systems so that security controls cannot be disabled.
Avoid using BYOD for sensitive data.
For more detailed direction on how to protect payment data and payment processing workers while connecting and working remotely, you can access PCI SSC security requirements. We will provide new information as PCI SSC updates their guidance.
If you need support to help your remote teams mitigate risk, be aware of cyber threats, and maintain security over your payment processing data, let’s talk how we can streamline the process for you so you can focus on other priorities.
PCI WEBINAR SERIES
PCI DSS v3.2.1 expires on March 31, 2024. With 64 new requirements in PCI DSS v4.0, companies have a lot to consider in preparation for the coming deadline. In our 5-part PCI Webinar Series, from April 27-June 1, 2023, learn about the general changes to 4.0, new requirements, best practices, and how an increased focus on risk evaluations in this new version will be a driving force for security and compliance.
Join Viviana Wesley, CISM, PCI QSA, ISO 27001 Auditor and HALOCK Principal Consultant to review key updates and next steps to support your transition to PCI DSS v4.0.