Because of Covid-19, many employees who have access to payments data are working from home, making it awkward if not impossible for data-security assessors to conduct onsite inspections. In response, the PCI Security Standards Council says it plans to make the next version of its data-security standard more reflective of changes in the workplace.
“With more employees working remotely, there needs to be a new approach to protecting payment data,” says Troy Leach, senior vice president for the PCI council. “The standard also needs to recognize there may circumstances that prevent an assessor from conducting an onsite assessment, such as travel advisories or restrictions relating to coronavirus, and that result in the assessment being conducted remotely.”
These and other issues were discussed last week at the PCI Council’s annual North America Community Meeting, which was held as a virtual event.
Some of the ways employers can ensure employees have a secure work environment include reviewing data-security policies with them to be sure they understand them and checking audit logs.
“Most PCI data-security standard requirements are a demonstration of a process,” says Leach. “As the work environment changes, [data-security] processes must change with it.”
Making adjustments to accommodate remote workers is not expected to be a temporary trend, as many are expected to continue working remotely once the pandemic ends, Leach adds. Ensuring employees who continue to work from home understand how to protect data for the long term will require continuing education and independent verification that the remote workplace itself is secure, says Leach.
Processes for how to conduct remote assessments are critical, again because infection fears could rule out actual visits. For example, assessors should make sure that the personnel interviewed and system components examined are the same as they would be if the assessment were being done onsite, the council advises. Assessors should also be certain that methods they use to observe a facility and collect evidence provide the same level of assurance as for an onsite assessment.
In addition, assessors must document within their compliance report why onsite testing wasn’t performed and how the remote testing provided an equivalent level of assurance. All relevant evidence gathered during the assessment should be retained in case of an audit.
“Our aim is to rethink how remote assessments are performed without increasing the risk of the assessment,” says Leach.
Continuity in assessors will also be critical going forward, especially for remote assessments. “Assessors that are familiar with the environment should be kept, because they know the facility and the people in it,” says Leach. “Data-security assessors should be viewed more as a collaborator than an enforcer.”
Finally, when a remote assessment is conducted, processors and merchants should keep in mind that it may take longer than if it was conducted onsite and that certain types of tests can only be done in-person. Hence, delays in completing the assessment may be unavoidable, the PCI Council says.
Processes should also be implemented to verify workers who come in and out of a payments-data network remotely. Doing so can keep out unwanted visitors, such as unauthorized personnel or hackers. To that end, the council recommends two-factor authentication for anyone remotely accessing a payment network.
“This was something that was being discussed prior to the pandemic,” says Leach. “Covid-19 just accelerated the discussion, because remote work will continue to be the norm for the foreseeable future.”
The PCI Council began the process of revising its core security standard last year. The initial request for comment period, which ran from October to December, generated more than 3,000 comments. An additional request-for-comment period started in September and will run through end of the month. The final version of standard 4.0 is scheduled for mid-2021.
Unsurprisingly, current conditions will influence the contours even of this latest version of the standard. “The disruption from the Covid-19 pandemic is changing the payment industry,” says Leach. “That’s why version 4.0 of the standard is going to be more flexible.”