Don’t Let Your New WFH Setup Jeopardize Your PCI Compliance

As a result of the coronavirus pandemic, many companies have shifted to a work-from-home (WFH) model. For companies that have WFH agents receiving card holder data (CHD) over the phone, this could put their PCI DSS certification at risk if not managed appropriately. There are several considerations when managing PCI compliance in this new ‘normal’. Below we’ve tried to break down the key considerations when it comes to leveraging people, process, and technology to mitigate this risk.

Assumptions

WFH Agents are receiving CHD for card-not-present transactions over the phone.

People

Develop documentation and disseminate messaging that addresses approved WFH Agent business practices.  The agent’s work environment is now an extension of your office and the Card Data Environment (“CDE”)

• Work from Home Memo / Acknowledgement regarding the processing of CHD
• Adjusted Roles and Responsibilities for WFH Agents
• Employee Security Awareness Training

Process

Review, update or develop policies, procedures and practices to ensure WFH Agents are working in a manner that is acceptable to the organization.

• Work from Home Policy
• Acceptable-Use Policy
• Data Handling Policy

Technology

Review current capabilities and solutions in place to address the considerations below.

• Disable USB ports on workstations unless required for job function; disable and alert of “media” insert
• Utilize captive VPN connectivity into CDE from workstations, no CHD stored or processed locally
• Do not allow WFH Agents administrator/root privileges on workstations
• Install Data Loss Protection (“DLP”) solution on workstations
• Utilize Multi-factor Authentication into the CDE
• Inventory newly acquired hardware/software

CompliancePoint Recommendations

• Utilizing an IVR (Interactive Voice Response) Solution
  • Allows customers to input their CHD thus, descoping the WFH agent
    • If an IVR is not feasible, limit WFH agents’ interaction with CHD to specific roles.
    • WFH agents should be transferring card-not-present calls to “in-house” agents/supervisors to complete authorized transactions.
• Review and address WFH Agent-Owned vs. Company-Owned equipment requirements
• Review third-party and client contractual requirements to ensure security responsibilities are defined and addressed

Refer to the following for additional information: Protecting Telephone-Based Payment Card Data from the PCI Council

Please reach out to us at: connect@compliancepoint.com if you have any questions about this topic or how CompliancePoint can assist your organization with managing your PCI compliance.