It is important to note that the issued guidelines are designed for this specific situation of remote work and do not in any way replace the existing PCI DSS requirements. It is only meant to support companies that meet compliance while their employees work from home. Let us today understand more about the guidelines suggested by PCI SSC and learn more about necessary preventive measures to be taken during such a situation

1. PCI DSS Compliance For
Remote Access During
COVID-19 Pandemic
How does the PCI Data Security Standard
(PCI DSS) support secure remote working?
Ÿ Uninstall or disable applica ons and so ware that may not be used, to reduce the risk of threat or
a ack from such sources.
As per PCI SSC, one of the best ways to guarantee con nued compliance is by maintaining a strong
security culture within the organiza on. Establishing a security culture does not just help deal with
challenges faced during the COVID-19 situa on but even beyond such a crisis, during such a similar
unforeseen situa on in the future. PCI SSC has provided several security requirements that should be
implementedtoprotectremoteworkersandtheirenvironments.Hereiswhattheguidelinesinclude-
Ÿ Use mul -factor authen ca on for all remote network access origina ng from outside the
company’s network.
Ÿ Enforce a strong password policy and do not allow the use of shared passwords. Addi onally,
employees should be educated about the importance of protec ng passwords and other
authen ca on creden als from unauthorized persons.
Ÿ Ensure all systems used by staff have up-to-date patches, an -malware protec on, and firewall
func onality in place to protect from internet-based threats.
Ÿ
As the COVID-19 pandemic con nues to spread across the world, companies have embraced the new
way of business opera ons. This includes allowing employees and stakeholders to work remotely. With
new government-mandated regula ons and restric ons on the movement of individuals, has widely
encouragedbusinessestoadoptremoteworkingmodels.Whilethismovehashelpedcontrolthespread
ofpandemicsitua onslargely,ithashoweverledtoasurgeincybercrimeslikedatabreach/the .
With cybersecurity issues growing dras cally, the PCI Security Standards Council was quick to recognize
the crisis situa on and the extraordinary circumstances that companies around the world are facing. To
address the severity of the situa on, PCI SSC issued a guideline detailing guidance for remote work. The
issuedguidestressestheneedtomaintainsecurityprac cestoprotectpaymentcarddata.However,itis
important to note that the issued guidelines are designed for this specific situa on of remote work and
© VISTA InfoSec ®

2. VISTA InfoSec’s Advice on taking preventive
measures for data theft/breach during
COVID-19 situation
Ÿ Implement access controls to ensure that only individuals who are authorized have access to the
cardholderdataenvironment(CDE)orthoseresources.
Ÿ Limitaccesstosystemcomponentsandcardholderdatatoonlyauthorizedindividuals.
Ÿ Have in place an appropriately configured VPN to protect all transmissions to/from the remote device
thatcontainssensi veinforma on.
Ÿ Ensure your organiza on has in place appropriate incident response plans to deal with unforeseen
situa ons. However, it is important to note that the procedures for detec ng and responding to a
poten aldatabreachfromremoteworkenvironmentscouldbedifferentfromon-siteloca ons.
Ÿ Automa cally disconnect remote access sessions a er a period of inac vity, to avoid idle, open
connec onsaccessedbyunauthorizedpersons.
The best way to secure confiden al data and prevent incidents of a breach is by building strong security
policies and procedures and having security awareness programs in place within the organiza on. This
will not only help organiza ons deal with unforeseen situa ons but also prevent incidents that may
impact business opera ons. To prevent falling prey to cybersecurity crimes here are some measures we
Security awareness programs
It goes without saying that, having in place necessary security awareness programs will go a long way in
protec ng confiden al data and prevent security breaches. Moreover, the security-awareness program
helps keep employees well informed about the poten al threat or risk they may encounter in an
unprotected environment. Besides it also helps the employees understand the importance of data
securityand compliance.Havingsaid that,companies that werePCI DSScompliant priorto this crisiswill
already have such a program in place. However, such programs may require some altera ons in the case
of addressing remote work challenges. They would need to probably educate employees about the
poten alrisksfromaremoteworkfromthehomeenvironment.Organiza onswillhavetolookforways
to ensure the con nued security of systems, processes, and equipment suppor ng the processing of
paymentcarddata.
Disaster or incident response program
While situa ons and nature of breach may definitely differ in a work remotely model, but it is equally
essen al and relevant for having a separate or altered disaster management program in place for a
remoteworkenvironment. Theorganiza onsshouldhaveinplacenecessarydeployableac onstodeal
with a situa on of the /breach. So, in an unforeseen event organiza on will be in a be er posi on to
recoveranddealwiththeincidentiftheyhaveappropriatemeasuresinplace.
© VISTA InfoSec ®

3. Do write to us your feedback, comments and queries or, if you have any requirements:
info@vistainfosec.com
You can reach us on:
USA
+1-415-513 5261
INDIA
+91 73045 57744
SINGAPORE
+65-3129-0397
© VISTA InfoSec ®
Monitoring process & Access
Situa ons are very different for both organiza ons and employees working from home. Keeping a tab on
employees adhering to security protocols is indeed a challenge for organiza ons. Companies must
effec vely monitor employees working remotely and processing card payments. Organiza ons should
haveinplacemeasuresthatensurecontrolledaccess.Haveinplaceamul -factorauthen ca onprocess
to ensure that no unauthorized person gets access cardholder payment data or account data. Deploy
necessary so ware or tools like Data Loss Preven on to secure and control data transfer. Tools like this
allow companies to monitor transfer or credit card informa on and block their transfer through insecure
exit points such as file-sharing services or instant messaging applica ons that employees may use while
working remotely. Organiza ons must also ensure that their employees destroy or shred any important
orsensi veinforma ondocumentifnolongerrequiredorstorethemsecurelyunderalock.
Company approved hardware
Employees should only use company-approved hardware for work which includes laptops, phones, hard
disks,drives,orUSBs.Thisisonewayanorganiza oncanmaintaincontrolofsystemsandthetechnology
suppor ng payment processing. Organiza ons can deploy DPL tools to ensure that no unauthorized
devices are connected to work computers. Deploying such tools will limit unauthorized access but also
block USBand peripheralports. Wealso recommend organiza ons updatetheiremployee’s laptops with
updated firewalls, an virus solu ons, and necessary security patches. The security controls deployed
shouldbeconfiguredinsuchawaythatuserscannotdisablethembyanymeans.
Conclusion
VISTA InfoSec has been serving clients in the industry for nearly 16 years. So, knowing the in’s out of
informa on security, we can help our clients maintain compliance even during a situa on of crisis. Our
expert advisors have the capability to assist companies prevent or even deal with the situa on of
breach/the . So if you are looking for expert advice to deal with the current challenges of COVID-19
situa on, do drop us a mail on askus[@]vistainfosec.com. For more details about our company and our
InfoSecSolu onofferingsdovisitourwebsitewww.vistainfosec.com
facebook.com/vistainfosec/ in.linkedin.com/company/vistainfosec twitter.com/VISTAINFOSEC