How A Remote Workforce Can Compromise PCI Security Standards

Here Are Some Tips on How to Stay Compliant

ERMProtect is dedicated to helping provide security training and standards to everyone involved in the shifting remote workforce during the COVID-19 crisis. As more companies begin to shift to a remote workforce, it’s important to adhere to PCI compliance and protect payment information.

Many point-of-sale vendors are shifting to remote workforce to support payment systems, making compliance more critical than ever. Vendors do this using “remote access” software products used from their homes over the internet. Often, these systems are on and available at any time for vendors to access systems remotely all the time. This makes it easy for bad actors and hackers to access account data, especially if vendors are using commonly known security data and passwords.

Hackers can scan the internet for organizations with vulnerabilities in their remote access networks, spread malware inside and steal payment card data.

Remote access points are one of the highest system vulnerabilities.

There are three major areas where PCI security can be compromised by a remote workforce.

  1. Technological compromise
  2. Procedure compromise
  3. Staffing compromise

Limiting exposure to payment data with your remote workforce is the first line of defense against bad actors and criminals. Some general recommendations to follow are:

Avoid staff using an unsecured WiFi network

Public WiFi networks are commonly used in cybercrime and can compromise security standards because they are typically not secure. Hackers can often access credentials and sensitive data and may also be able to distribute malware or spoof a WiFi network to capture data.

Use company-owned hardware

This is important for a remote workforce because it ensures that the company can stay in control of the technology and software running on the systems that support payment card data processing. This includes laptops, cell phones, desktops and software on the system.

Software and hardware protection

Make sure all systems being used have firewalls, virus protection and VPN capabilities installed and being used at all times. Also make sure that the latest security patches are up to date on each person’s systems. Think of a remote worker as an extension of the company’s network, and make sure all the pieces of technology are following PCI security standards.

Share information about security standards

Often, people are the weakest part of security in a remote workforce. Whether onsite or remote, people are vulnerable to threats. Having a process for sharing formal information about PCI compliance with a remote workforce is critical.

Implement a security awareness program

Each year, or as you migrate a workforce to work from home, a security awareness program should be done to ensure that each employee is trained properly on PCI security requirements. It is recommended to require employees to acknowledge the security standards and processes on a regular basis (daily or weekly).

Extra attention should be paid to home workers

Companies should take note that some of the requirements may be difficult to implement remotely, and these risks should be evaluated carefully. Processing account data in remote locations presents a new set of challenges for PCI compliance and controls must be effectively maintained.

Focus on endpoint security

Endpoint security can take on many different forms and is often the way that bad actors enter networks or PCI compliance is broken. All software, firewalls, applications and operating systems must be updated from within protected networks. Never allow systems to be updated without security protocol being followed.

Physical process and environment protection

If account data is ever written or printed on paper, ensure it is securely stored and then properly disposed of when it is done being used. Ensuring these best practices happen will take training and consistent acknowledgement by employees. It is recommended that employees acknowledge the security standards they are following every day upon log in.

If any part of the phone software or hardware is being serviced by a company outside the organization, then both companies should understand and adhere to the PCI security standards in place, both with hardware and any employees that have access to that hardware or software.

Multi-factor authentication process

Multi-factor authentication processes must be used by all remote workers throughout the organization when connecting to any telephone system (traditional, VoIP or otherwise) if that system processes account data. Organizations should also restrict access to other software and media if it contains account information (call recording software or screen recording software).

COVID-19 Online Scams

During the novel Coronavirus crisis, cyber criminals are working to hack and trick people into falling for cyber-attacks. POS (Point of sales) vendors and employees are in a unique position that allows payment card data to be easier to access remotely than before.

The most popular attacks are social engineering attacks or phishing scams, where cyber criminals exploit the current pandemic by mass distribution of emails posing as medical organizations with important information. Make sure all remote staff follow best practice security standards to avoid these scams.

These phishing attempts are not the only scams happening right now. Hardware and software attacks are heightened because of a larger than normal remote workforce. Make sure that  vendors, employees and anyone working from home are following the hardware and software security standards so that payment card information isn’t vulnerable.

 

Resources:

The PCI SSC Questions to Ask Your Vendors resource can help businesses get the information you need from your third-party vendors.

https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_to_Ask_Your_Vendors.pdf

The PCI Qualified Integrators and Resellers (QIR) list is a resource that businesses can use to find payment system installers that have been trained by the PCI Security Standards Council on secure remote access and other payment data security essentials.

https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers

Need help with PCI Compliance?

ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

pci dss in the cloud

How to Achieve PCI Compliance in the Cloud as Security Controls Evolve

The integration of cloud services with PCI DSS compliance is particularly crucial for enterprises that handle sensitive payment card information …
Digital Forensics Investigation

What Are the 5 Stages of a Digital Forensics Investigation?

In this article, we delve deeply into the five stages of a digital forensics investigation and provide tips on how to select the right digital forensics company …
Comprehensive Guide to Penetration Testing

A Comprehensive Guide to Penetration Testing – Types, Methods, Benefits and Best Practices

This penetration testing guide explains the different types of penetration testing, their benefits, and their purpose …