PCI DSS Compliant and Working from Home – Can you do both?
In the past few months, organisations around the globe have had to rapidly adapt to a changing working environment due to the extensive Covid-19 social distancing restrictions. Unfortunately, the majority were not prepared for this level of change and quick solutions had to be found to allow staff to continue to perform their duties from their homes, as well as allowing the organisation to continue to function.
For many organisations, continuing to take card payments over the phone is crucial for them to maintain revenue generation. As many payments are processed through the payment providers web portal via a browser, the switch to remote working would appear to be fairly straightforward; the ease of processing the payment through a web browser meaning there are no technological barriers to taking payments whilst working remotely. However, this only demonstrates a lack of understanding by the decision-makers of the PCI DSS requirements and the associated compliance implications of such a conclusion.
The implications on an organisation’s compliance status of staff taking payments while working from home can be far-reaching; from network security issues related to laptops not being connected to the corporate network, through patching and updating staff laptops and the deployment of new software, to a lack of oversight of a clear desk policy. All of which add up to not being compliant without some mitigation measures being considered and preparations being made for changes.
The problem is further compounded by the fact that the PCI DSS doesn’t contain any provisions for handling exceptional circumstances and still remaining compliant. You are either compliant or not. So, should an organisation decide to allow payments to be processed by staff while working remotely, it would be non-compliant for that period, unless changes have been made and whether any given bank chooses to accept that period of non-compliance. As such, one of the first things you need to do if you are (or have already) made that change, is to engage with your acquiring bank to understand their stance on the organisation’s compliance status during these exceptional circumstances.
The next thing to do is to understand what impact the change will have on your compliance with the PCI DSS and, whilst the short answer is ‘a lot’, you will need to delve into a lot more detail to get the full picture, something which you will probably want to enlist the help of an expert for.
As a starting point, here are the two key areas that will definitely be affected by a change to home workers taking payments.
Technological Equipment – Your staff will be taking the payment on some sort of device; desktop, laptop, tablet, etc. and that device will be in scope of PCI DSS and will need to meet all the relevant requirements. As such, your IT department will need to have full control over the device, irrespective of whether it’s a company device or a personal one. This can easily be addressed by issuing a company device to home working staff, should they not already have one, and ensuring that your IT department configures the device to meet the defined PCI requirements.
The larger tech issue will be the network that the device is being used on, as this will also be in scope, along with any other device on that same network. In the vast majority of cases, this will be the staff member’s personal home network, which is liable to be more akin to the wild west, supporting a myriad of devices (kids phones, partners computer, games consoles, smart TVs, smart speakers like Alexa, wireless routers and much more) and so almost impossible to secure and control. That said, there are technological solutions to this issue, such as host firewalls or VPNs, which can be established to segment the network and remove these devices from scope.
Physical Security – This is by far the most pressing compliance issue and the most difficult or costly to solve. The PCI DSS considers the physical scope to be any ‘sensitive area’ which is defined as ‘any area where cardholder data is stored, processed, or transmitted’ and has a whole assortment of controls that need to be applied. By allowing staff to take payments at home, you are making those homes become sensitive areas and therefore subject to all the relevant requirements. Requirements such as having visitor logs, issuing visitor badges, logging all access, having access control or CCTV. I don’t have to explain how impractical it would be to try and apply such controls to people’s private homes and their families! Insisting on a lockable room with access only by your staff member is in itself a significant challenge.
The only real way to deal with the physical security issue is to remove the cardholder data from the private homes, so as to remove the location from scope. However, this will require a complete change in the payment processes that your organisation and staff are used to. You will need to redirect the customer away from the home worker at the point of taking payment and, whilst there are solutions and services that can implement this, such as third-party dual tone multi frequency (DTMF) payment applications or third-party call centres, these solutions are costly and take considerable time to deploy. Another option is to retain a small number of staff in your office, with appropriate social distancing measures in place, and transfer the call to them – if this is practical or even possible based on governmental restrictions.
These reasons, and many more, are why almost all QSAs and experts have generally previously simply recommended not having home workers taking payments; it creates too many challenges and issues that are both expensive and time consuming to address and, typically, not always worth the effort, resources or investment. However, these are exceptional times and for some organisations taking payments via home workers may be the only option to continue to operate. If this applies to your organisation, you need to perform a careful evaluation, with expert advice, to be able to find a compliant solution to the problem of home working. And it may be that this solution will become a long term one that you can continue to operate even after things return to normal and be a better and more efficient way of working than prior to the lockdown restrictions. One thing is for sure, the enforced move to remote working has shown how it can be effective and provide both the employer and employee with greater flexibility. Solutions, which have previously been considered and dismissed as too costly or time consuming, may now provide benefit to both parties.