Remotely Working From Home Securely
How to Maintain PCI When Employees Work Remotely
This post contains part of the text from the SecurityMetrics Working From Home Securely Checklist.
To view the full interactive checklist, download the PDF below:
Consider Your PCI Scope
When considering a work-from-home environment, it is important that you map out the flow of cardholder data to ensure safe collection and processing.
- Establish your scope by answering the following questions:
- How is data being received by employees?
- Over the phone
- Fax
- Internet communications
- Once data is received, how are employees processing this data?
- What devices and network segments are involved in the transmission of cardholder data?
- How is cardholder data stored, processed, and transmitted?
Address Your Network
A vital step in promoting a secure environment is addressing your network and keeping an encrypted connection between home-based computers/laptops and your corporate network.
- Verify with your IT that your VPN:
- Watches for viruses
- Monitors and logs all access
- Oversees web activity
- Make sure that employees:
- Use only the company’s VPN and not free VPN software
- Are receiving security awareness training tailored to protect the work-from-home environment
- Assume that your employee’s home network/computer are not a secure option for processing payments
- Continue the security stance of your CDE (Cardholder Data Environment)
- Extend your CDE network via VPN connectivity or virtual desktop/Citrix solutions
- Provide company-owned mobile devices that are:
- Hardened
- Capable of being managed remotely
- Disable split tunneling in order to maintain proper network segmentation
- Utilize your VoIP (Voice over Internet Protocol) endpoints, if included in your CDE
- Send VoIP endpoints home with staff to use over a VPN or encrypted connection
- Confirm VoIP data is encrypted when being transmitted over the internet
- Keep in mind that call recordings may be in scope and must be protected
Reduce Your Risk
As you shift your sensitive data (e.g., card data environment (CDE) or personally identifiable information (PII)), you can take steps to ensure data is not more at risk than it would be if your employees were in your office.
- Implement P2PE (Point-to-Point Encryption), if you are unable to extend your CDE network to remote locations
- Consider different types of P2PE devices
- Implement a P2PE endpoint that will keep employees’ computer and network out of your scope for your environment
Maintain Compliance
Now that you have defined your scope and understand your processes for sensitive data, you can take steps to secure your systems and maintain compliance.
- Perform an annual assessment with a QSA (Qualified Security Assessor), if you are a level 1 service provider or level 1 or 2 merchant
- Reach out to your QSA to:
- Inform them of your proposed remote work environment
- Confirm you have accounted for all security requirements
- Keep your company secure while encountering significant environment changes
- Verify that all relevant requirements (PCI, HIPAA, GDPR, HITRUST, etc.) have been implemented
- Carry out a risk assessment
- Update all documentation, including diagrams, policies, procedures and inventories
- Run vulnerability scans
- Perform a penetration test
- Define what constitutes a significant change to your environment
- Plan ahead for what steps are to be taken when a significant change to CDE occurs
- Familiarize yourself with applicable policies
- Keep documentation to demonstrate that policies and procedures were followed
- Continue to inform remote employees of:
- Data security best practices
- Current policies and procedures
- Specific steps they must take before beginning work from home
.svg)
