Business Continuity – Processing Payments Remotely

Many organizations were quick to adapt to COVID-19 and researched ways to accept payment cards with all staff working from remote locations. Alternatively (or perhaps optimistically), others initially took the stance against accepting payments from home and shifted primarily to e-commerce, but now two months into the pandemic, are reconsidering and wondering “where do I begin?” There is no better time than now to confirm which merchants are collecting payments, and how that is being done, to ensure their efforts to provide customer service are not leaving your organization exposed.

Although we have seen a slight relaxation in some compliance regulations like HIPAA, the PCI Security Standards Council has reconfirmed that the full PCI DSS still applies. Outside of directing customers to online, self-service payment options, unfortunately, there isn’t a one-size-fits-all solution for handling payments remotely.

First, understand the merchant’s need for taking payments from remote locations. Below are a few questions you should ask to assess the requirements:

• Does the department have an online, e-commerce website?
  • If yes, can that be the primary or sole method for accepting customers’ payments?
• How many payments are expected to come in?
• How are payments received by employees (via mail, phone, fax, etc.)?
• If payments are going to be taken over the phone, is it a VoIP phone, analog, cellular, etc.?
• Once received, how will they process the information? What devices and systems will be involved?
• It may also be helpful to map out the flow of cardholder data to ensure you haven’t missed any step in the process.

Once you have evaluated the overall need, you must now consider the risks.

• What is the logical environment like?
  • Can conversations be overheard?
  • What else is on the shared network – IoT devices, game consoles, or other computers?
  • Who is responsible for network security?
• What is the physical environment like?
  • Is there a locked office or merely a desk underneath the stairs?
  • Are paper forms secure at all times?
• Does the volume of transactions justify the need, or are there lower risk alternatives that are better given the current situation?

If the organization decides to move forward with a remote payment option, below are some recommended best practices.

Receiving Payment Card Information:

E-Commerce
Standard, online payment processes or e-commerce websites should not be affected. Customers can continue to purchase goods or services online using their own devices as before.

For employees that must access e-commerce websites to research or access payment data (often the case for military payments):

• Use institution-issued equipment or laptops
• Use of VPN software is also recommended

Telephone
For those merchant that accept payment cards over the telephone:

• Calls should be accepted through a landline/analog telephone or a college/university issued cellular telephone. Use of personal cellphones is not recommended.
• Gathering payment card information through VoIP options, such as Google Hangouts or Zoom Calling, is not recommended. As VoIP systems traverse the internet, any sensitive information such as payment card numbers can be more easily accessed by malicious actors.
• See below for guidance on how the information received over the telephone can then be processed.

Mail
For those merchants that receive CHD through the mail, and have a continuing business need:

• As allowed and as safety permits, employees will need to periodically go into the office to gather mailed-in payments. They can either process the payments while in the office or take the information back to the home office for processing there.

Fax
For those merchants that receive CHD via fax machine, and have a continuing business need:

• As allowed and as safety permits, employees will need to periodically go into the office to retrieve faxed documents. As with mailed-in payments, faxed-in payments can be processed while in the office or taken to the home office for processing.
• Faxes should not be sent to email for easy access. Email is an insecure medium that is specifically forbidden by the PCI DSS as it allows malicious actors access to payment card information.

Processing Payment Card Information

When setting up to process payment cards at home, you should try to replicate your campus-based payment environment as much as possible. It may be possible to extend your network through the use of a VPN connection and institution-issued devices that are managed by your IT team.

Point of Sale (POS) or Point of Interaction (POI) Devices
Allowing employees to take home a POS/POI device for payment processing is likely the easiest way to continue to accept payments that come in via the phone, fax, or snail mail. Maintain your device inventory by having staff checkout the equipment and document which employee has taken which device. Remind them that they must continue to perform required device inspections and log this activity just as they did while in the office.

• Stand-alone, cellular credit card terminals (i.e. FD410) may be brought home by employees to process payments. These terminals must be secured in a manner similar to when the devices are located in an office setting.
• Stand-alone, analog dial-up credit card terminals (i.e. FD130) may be brought home by employees to process payments, as long as the employee has a landline telephone line at their location. These terminals must be secured in a manner similar to when the devices are located in an office setting.
• Credit card terminals that are a part of a PCI-listed P2PE solution (i.e. Bluefin, FreedomPay, CardConnect, Clover, etc.) may be brought home by employees.
  • Standalone devices can be connected to Ethernet connections on personal devices or institution-issued equipment.
  • Terminals integrated with a specific software solution (i.e. Paciolan, CashNet, iModules, etc.) should be connected via USB to university/college-issued laptops capable of running VPN software.
    • Connecting these terminals to personal devices is not recommended.

Workstations/Laptops:
One of the most common compliance failures our Security Advisors find during assessments is the use of general-purpose workstations to enter in payment card information. This becomes an even higher risk with employees at home. Are departments allowing staff to accept payments from customers over the phone and entering in cardholder information on behalf of the customers? If they are doing so on personal, unsecured PCs this presents a number of security and compliance failures.

• Your organization may be able to configure an organization-issued laptop to take payments and qualify for the SAQ C-VT as long as the necessary network segmentation is in place. Along with additional controls, the laptop must be single purpose and only able to access the dedicated resources/payment sites.
• If the lack of visibility in to the SAQ C-VT environment at home makes your risk people feel uncomfortable, it may be possible to extend your existing CDE network via a VPN connection. Obviously, this setup fails to meet SAQ C-VT eligibility requirements and will have to be validated with SAQ D. Continue with organization-issued devices that have been hardened and that are managed remotely. Ensure that the laptop is connected to the organizational VPN that is configured to isolate it from the rest of the home network (i.e. split tunneling should be disabled in order to maintain the proper network segmentation).

If you choose to accept the risks and receive card payments remotely, you can avoid the introduction of additional risk by implementing as many security controls as possible. These unprecedented circumstances have many organizations leaning more towards business continuity over full compliance, however, with malicious individuals waiting to pounce on hurried remote-work solutions – caution should be used.

Don’t forget to update departmental operating procedures to cover the “work-from-home” environment and document both traditional and current payment processes.

Some additional guidance from the Security Advisor team:

[Burt]: All great guidance in this article. It has been awhile since the COVID-19 situation has begun, and university/college staff have been forced to work at home. However, if you haven’t implemented a work from home plan yet (or even if your stated plan is to not take payments remotely), you still may want to touch base with the various merchant areas. Generally speaking, most people follow policies and procedures. But, sometimes with lack of supervision, guidance, and/or proper knowledge comes the potential for bad things to happen. If possible, just take the time to see if any remote payments are occurring in ways that could be harmful to your PCI compliance or could lead to exposure of customers’ cardholder data.

Additional Resources:
PCI SSC Blog: Protecting Payments While Working Remotely