Call us on 03450 21 21 51

Remote working: maintaining PCI DSS compliance in the age of online shopping
The SRM Blog

Remote working: maintaining PCI DSS compliance in the age of online shopping

Ian Armstrong

Written by Ian Armstrong

14th September 2020

Share this article

remote working pci dss compliance

When you first embarked on your Payment Card Industry (PCI) Data Security Standard (DSS) compliance journey, did you ever imagine you would be where you are now? With large numbers of employees set up remotely, the working environment you may have envisaged when you first achieved compliance has probably changed beyond all recognition.

Who could have imagined individual employees taking payments over the phone in hastily assembled home offices or using their own devices to conduct transactions all via VPN connections back to office networks and systems? But this, and similar practices, are an aspect of the “new normal” for many businesses. It has never been more important to adhere to the PCI DSS compliance process and prioritise card payment security to ensure the safety of customer data.


The acceleration of the digital revolution

The world has been changing for a while and it’s been a long time since cash was king. Paying with notes and coins had become a declining habit and card payments, whether PIN machine transactions, contactless, online or over-the-phone payments, had already become standard practice for most shoppers.

Then along came Covid-19.

The pandemic has heralded nothing short of a digital shopping revolution. Sales over the internet are no longer the preserve of the digitally-adept. Many, who had never made a single purchase online, learned how to click to purchase rather quickly and even participate in family Zoom quiz calls amongst other things. Those who used online platforms occasionally but preferred to shop in person were compelled to change their habits.

As a result, online sales have soared over the last six months. Amazon recorded a 40 per cent increase in traffic in the second quarter of this year; several online fashion sites have reported experiencing a 75 per cent surge in visitors in the early months of lockdown and a myriad of smaller businesses have seen a similar surge in online trade. Whether this trend will continue depends on several factors.


The long-term shift in shopping habits

A recent UK survey found that 10 per cent of those surveyed said they will avoid shopping on the high street in the future as a result of the coronavirus. Some say they are waiting for a vaccine before venturing out while others have simply found online shopping to be quick and convenient.

There is also the question of the nature of change. Now that the genie is out of the bottle, and the digital novices have learned how to shop online, will they be inclined to revert to old habits? Whatever the answer, it is essential for the majority of businesses to embrace the change, commit to the digital model and to ensure that customers can shop safely.


Protecting customer data in a remote-working environment

The PCI DSS is central to protecting customer data. Yet without the structure of an office-based compliance process, businesses now have to consider how to ensure it is adhered to when employees are working remotely. It is a challenge to ensure that all elements – the people, the process and the technology – operate effectively. Here are a few points for guidance.

  1. Culture of security

A culture of security is essential and, when employees are not in the traditional office environment, this needs to be actively maintained. A security-awareness programme (PCI DSS Requirement 12.6) should be delivered to new and existing staff to remind them of the importance of applying security, especially when out of the office environment. As always, such awareness should be reiterated regularly, but perhaps three or four times a year in such circumstances to ensure complacency does not creep in.

  1. Risk assessment

A risk assessment should be conducted to evaluate the additional risks of processing account data in unsecured locations and controls implemented accordingly. Staff should be fully aware of the risks associated with remote working and aware of their own responsibilities in maintaining the security of systems, processes and equipment, particularly in relation to telephone-based payment card data.

  1. System security

System security can be a challenge in remote-working environments. At the very least, employees should be required to ensure that their devices:

  • Are password protected
  • Have the latest patched software installed
  • Use company approved networks
  • Have been positioned appropriately to prevent others viewing screens
  • Are not shared with any unauthorised individuals
  1. Access controls

When home workers are taking card payments over the telephone, the process must be effectively monitored and access controlled. For example, multi-factor authentication when connecting to any system that processes account data.

  1. Secure storage

Account information should not be written down. All necessary information should be stored within the appropriate system applications in a safe and secure manner.

  1. Company-approved hardware

To reduce the risk associated with using personal devices, only company-approved hardware should be used for the processing of telephone-based payment card data. These devices should be maintained, controlled and supported by the company in line with the requirements of the PCI DSS. They should also be configured to prevent any controls being disabled.

  1. Protection

All devices need to be protected with firewalls, anti-virus software and have all the latest security patches installed.

  1. Network security

The network being used remotely must be secure in line with the requirements of PCI DSS.


Seeking professional guidance

Adapting the rigorous standards of PCI DSS to the remote working model is a challenge, even for the most experienced compliance officers. But failure to comply can lead to serious consequences in the event of a breach, not least the prospect of a fine. Investing in professional advice will ensure that every aspect is covered so that your business can provide protection and security for your customers.

SRM’s PCI team is highly qualified and experienced across all sectors and sizes of business to ensure that compliance is achieved and maintained, however and wherever your business is conducted.

Want to ensure your business is meeting PCI DSS compliance requirements under your new working conditions? Get in touch with the SRM team today on 03450 212151 or contact us here.

Back to top