The long term implications of the COVID-19 pandemic continue to be seen. More and more employees are working remotely, with an estimated 48% of workers planning to work remotely at least some of the time. While a number of departments or groups may have returned to the office, others remain remote, which creates the need to balance both environments and ensure organizational data, specifically payment card data, is being protected both within and outside the standard network.
When it comes to PCI compliance, there are a number of factors that come into play for remote merchant environments. While merchants may have initially adapted temporary processes as a quick fix to allow operations to continue while working remotely, now that it is evident these options may remain well into the future, it is important to confirm which merchants are collecting payments, and how that is being done, to avoid any non-compliant processes and risks of compromise.
In order to identify which merchant environments have staff operating remotely, the PCI Team should consider adding this question to your annual or bi-annual merchant survey. From there, you can work with those merchants to scope the remote environments and document the processes with cardholder data flow diagrams. The PCI Team will want to document:
- How cardholder information is received
- Do employees receive payment card information at home over the phone, through a fax machine, via mail, online, etc.?
- Any systems that are involved in transmission of CHD
- Is information collected over the phone, on desktops, laptops, etc.?
- If payments are going to be taken over the phone, is it a VoIP phone, analog, cellular, etc.?
- How the payment is processed
- Is CHD entered into a payment card terminal/device, into a third-party system, entered into an employee-owned laptop or workstation, etc.?
- If/where any CHD is being stored (on paper, electronically, etc.?)
- Do employees ever take paper CHD home with them? What if they pick up the mail and then are not going into the office for several days to process mailed-in payments – where is that mail kept until then? Are they writing CHD on scratch paper while processing phone payments? What happens to it? Do others in the household have access to such media?
- If the department has an online, ecommerce website? If yes, can that be the primary or sole method for accepting customer payments?
- If employee systems are involved in the receipt or transmission of cardholder data, how are those systems connected?
- What equipment are employees using at home?
- What other equipment resides in that home environment, and how is used and managed?
- Are employees connecting to the organizational network through a secured, controlled Virtual Private Network (VPN)?
It is important to understand what merchant processes are currently in-place. The team should then define what is acceptable/unacceptable and offer the merchant compliant options if they need to continue taking payments from remote locations. Below are some of the general Dos and Don’ts that should be followed for remote payment environments.
- Encourage merchants to direct customers to online payment processes or ecommerce websites.
- Try to replicate the campus-based payment environment as much as possible. It may be possible to extend the organization’s network through the use of a VPN connection and institution-issued devices that are managed by the IT team.
- Maintain device inventory by having staff check out the equipment and document which employee has taken which device.
- Continue to perform required device inspections and log this activity just as merchants did while in the office.
- Collect payment card information over the phone on a landline/analog telephone or a dedicated, organizational-issued cellular telephone.
- Go into the office to gather mailed-in or faxed-in payments, and process those payments in the office on approved equipment. If necessary, these documents can also be taken home to be processed if using approved, secure terminals.
- Stand-alone, cellular credit card terminals (e.g., Move/3500) may be brought home by employees to process payments.
- Stand-alone, analog dial-up credit card terminals may be brought home by employees to process payments, as long as the employee has a landline telephone line at their location.
- Credit card terminals that are a part of a PCI-listed P2PE solution (e.g., Bluefin, FreedomPay, CardConnect, Clover, etc.) may be brought home by employees. Because P2PE encrypts the data before it reaches the network, a validated P2PE solution can be used on wireless or home networks without pulling those networks into scope.
- Standalone P2PE devices can be connected to Ethernet connections on personal devices or organization-issued equipment.
- Terminals integrated with a specific software solution (e.g., Paciolan, CashNet, Anthology, AudienceView, etc.) should be connected via USB to organization-issued laptops. Connecting these terminals to personal devices is not recommended, although validated P2PE solutions would leave the workstation out of formal PCI DSS scope, so it is a risk-based decision for your institution to make.
- Verify employees understand requirements for handling and protecting paper-based CHD.
- Update departmental operating procedures to cover the “work-from-home” environment and document both traditional and current payment processes.
- Ensure Procurement understands to flag any new vendors/purchases that involve payment card information as needing approval by the PCI Team. With the loss of in-person, water cooler talks, it may be more difficult to become aware of changes in vendors, etc.
- Allow employees to use personal devices or equipment that have not been specifically designated for payment card processing.
- Allow employees to use general-purpose workstations to enter in payment card information. This becomes an even higher risk with employees at home.
- Allow staff to accept payments from customers over the phone and enter in cardholder information on behalf of the customers to ecommerce websites.
- Collect payment card information using a personal cellular phone.
- Collect payment card information through VoIP softphone solutions, such as Google Hangouts or Zoom calling. (Remember that most “landlines” offered by ISPs are actually voice over IP (VoIP), and accepting cards through one on a home network would bring the entire network into PCI scope.)
- Allow faxes with payment card information to be sent to email for easy access. Email is an insecure medium that is specifically forbidden by the PCI DSS (without additional security controls), as it allows malicious actors access to payment card information.
- Write down payment card information on paper at home then transport to the office for processing without a process for securing the paper-based data before authorization (e.g., store in a locked safe, etc.).
Some additional guidance from the Security Advisor team:
[Campbell]: Wow, that article packed a lot of information into three pages! Who else needs a breather? Because there’s not a great deal to add, let me recap/summarize a few key points, to hopefully help them sink in. Let’s start with self-service ecommerce. It’s a different world than it was back when I first helped put a university tuition/fee payment site online in 1999. Who else remembers when Justin Timberlake was going to reinvigorate something called “MySpace” as a part-owner? What’s the point here? Most of your customers today are likely to be far more comfortable paying through ecommerce than 10+ years ago. I remember the fretting back in 1999. It all worked out. Ecommerce isn’t a fit for every single merchant business and customer service model, but in these times where you are probably still not back to pre-pandemic in-person services, your first idea should be to drive as much business as possible to fully-outsourced ecommerce that runs through a validated payment gateway/processor.
For those cases where you must have your employees in work-from-home situations actually processing transactions, your first choice should be validated P2PE solutions and terminals. Your last choice should be ever having employee home networks, phones, and/or computers in your PCI DSS scope. In fact, I’ll go so far as to say that if you’re considering this model, you want to contact your CampusGuard Customer Advocate and Security Advisor and have a discussion. In the middle somewhere, if you already have workstations/networks in scope back at the campus, is assigning campus-owned and campus-managed workstations with, as the article says, at least a secure VPN connection to segregate the home network. Split-tunneling should not be allowed. (If you’re not technically-minded, this does not mean having a choice of tunnels to get to and from Manhattan; ask your favorite IT person.)
Finally, don’t forget about paper and phones. Just like you have no idea how the home computer/network environment is managed and would have no realistic way to maintain required PCI DSS controls, you have no idea who else is in the household and what kind of physical security can be placed around paper media with CHD. Worst case consider a locking fire box and, as always, never store CHD that you don’t need, and never for a moment longer than you need it.
If you have any question at all, please feel free to contact us.