America is reopening as states announce relaxed restrictions related to the coronavirus. During this time, businesses that handle credit cards must keep their eye on remaining PCI compliant reopening following COVID-19.
COVID-19 PCI Compliance Considerations for the Main Payment Channels
There are three main payment channels for PCI compliance; call centers, e-commerce, and retail shops. All three have considerations for returning to normal operations as business segments re-open. This article explores each area and related factors to take into account.
PCI Compliance Call Centers and Customer Service
Many businesses with call centers and customer service centers handling credit card information transitioned to home-based work locations during the pandemic. Now they are grappling with how to return their workforce back to a secure office environment. Unwinding measures implemented to facilitate remote work is best accomplished with a measured approach to support PCI compliance.
Related Reading: Restaurants, Be Aware of PCI DSS Requirement 3.2 During COVID-19
New business norms are being established to allow for a safe return. Some capabilities may remain as part of the new workplace to support updated procedures and social distancing. Ensure network capabilities and other technology are robust and secure to support the return to the business. Considerations for the new workplace distancing and changes returning from the remote work environment include:
- Data Loss Prevention (DLP): Review DLP tools tuned to accommodate remote employee activity on platforms such as cloud storage, email, or instant messaging used for customer contact and business as usual (BAU) activities. A transition plan to review DLP tuning is essential to secure activity on the office platforms.
- Internet content filtering: Restrictions on social media, news, or streaming sites may have been relaxed for remote employees to stay informed during the pandemic. Restrictions on the use of cloud storage or other collaboration tools may have been relaxed to facilitate communication with customers and to enable workstreams outside of the office. Both sets of rules need to be returned to the company policy.
- Mobile Device Management (MDM): MDM implemented to support urgent communications or changes made as a result of the pandemic should be inspected; a review of MDM enrollments is necessary to maintain secure data and communications.
Ensure employees laid off or terminated during the pandemic have been properly disabled in the MDM console. To protect sensitive information and client relationships, validate registered devices are wiped so no email, company contacts or other company information remains.
When transitioning employees back to the office, brief security awareness training is recommended. Include topics such as:
- COVID-19 related fake news
- Smishing (fake text messages)
- Phishing (spam email)
- Review credit card security and proper call center handling
e-Commerce + PCI During COVID-19
Servers hosting e-commerce sites need to be current on all vendor patching. Reopening of businesses and offices is a good time to review all patching updates and apply patches in order of criticality.
Related Reading: 3 Ways to Stay PCI Compliant During the COVID-19 Pandemic
Encryption certificates should be reviewed to verify they are current, and the encryption key custodians need to be updated as well as the security of all encryption keys.
Access should be reviewed to verify all privilege users are current and non-privileged users have correct access. This includes:
- Access to the e-commerce site, whether using a redirect payment channel, an inline frame or other payment channels
- Access to the e-commerce server
- Access to the production environment. This should be segmented and controlled allowing only appropriate level access.
Retail locations + PCI During COVID-19
As retail locations open, credit card payments (swipe, dip and contactless) will be in full swing. To prepare your credit card payment systems prior to opening:
- Turn on the systems and check for vendor updates
- Update passwords. Passwords lasting 90 days or more may have expired
- Check all connections with the device readers
- Update firewalls rules if needed
- Run a rogue access scan verifying the environment is secure
- If the point of sale system runs through the back-office network, review all access to the systems and remove out-of-date employee access
- Employee access to badge readers, keys and any other network devices should be reviewed and updated.
As the pandemic spread, organizations may have adopted ad-hoc capabilities to support remote work. Returning to the normal business environment should follow change management procedures with all changes impacting the credit card environment fully documented and approved by management.
When any change is made to the PCI network, it is important to use your change management ticketing system. Recording changes and authorization tracks the what, why and who made the changes to monitor the security of the credit card environment.
For all environments, the return to work is a good time to have all employee passwords updated. Be certain they use the proper policy requirements for creating secure passwords. One recommended practice is to use a passphrase. Also, be certain to educate your workforce about not using the same password for all systems.
It is always easier to add access to your system than it is to try to track down any inappropriate access; being proactive ensures security is up to date and that your enterprise shows no weakness. This will help you to stay PCI compliant while reopening following COVID-19.
Don’t just comply. Show No Weakness with Avertium’s PCI Compliance Consulting Services.