PCI SSC shares guidance for protecting payment data and how to work securely when connecting and working remotely. How can security be maintained when working remotely? 

It’s all about people, processes and technology. Employees are the first line of defense, and staff working remotely for the first time might not be familiar with the organization’s policies and processes that apply to remote work environments. All staff should receive security awareness training that emphasizes the importance of data security and be knowledgeable in the organization’s security policies and processes that apply to remote working. For example, policies and procedures should clearly prohibit any unauthorized copying, moving, sharing, or storing of payment card data in remote environments. Remote staff additionally need to be aware of their physical surroundings, taking care to prevent sensitive information from being viewed by unauthorized persons.  

The organization’s security processes should be kept up to date and ready for any eventuality caused by threats originating from remote environments. The use of technologies that ensure payment data remains protected and enable remote personnel to perform their work securely is also a vital consideration when supporting remote work environments 

How does the PCI Data Security Standard (PCI DSS) support secure remote working? 

PCI DSS provides several security requirements that should be implemented to protect remote workers and their environments. Some examples include:

  • Use multi-factor authentication for all remote network access originating from outside the company’s network.  
  • Where passwords are used, enforce a strong password policy and don’t allow the use of shared passwords.  Educate personnel on the importance of protecting their passwords and other authentication credentials from unauthorized access. 
  • Ensure all systems used by staff working remotely have up-to-date patches, anti-malware protection, and firewall functionality to protect from internet-based threats.  
  • Uninstall or disable applications and software that are not needed to reduce the attack surface of computers and laptops. 
  • Implement access controls to ensure that only individuals whose job requires access to the cardholder data environment (CDE) or cardholder data have access to those resources. 
  • Use only secure, encrypted communications—e.g., a properly configured VPN—to protect all transmissions to/from the remote device that contain sensitive information, such as cardholder data. 
  • Automatically disconnect remote access sessions after a period of inactivity, to avoid idle, open connections being used for unauthorized access.  
  • Limit access to system components and cardholder data to only those individuals whose job requires such access.  
  • Ensure incident response plans are up to date and include accurate contact details for key personnel. Procedures for detecting and responding to a potential data breach could be different for incidents originating from remote work environments.   

Are there payment data security process considerations that are different between onsite and remote environments?

Methods to maintain and ensure the effectiveness of secure processes and controls may need to be applied differently between onsite and remote environments For example, verifying the identify of a user calling IT for support could involve different steps than when the user and IT department are onsite at the same location.

All staff should be trained to be aware of potential phishing calls. IT teams should be prepared to identify rogue calls from people claiming to be remote users, and there should be a process for staff to confirm their identity when calling IT support remotely. Similarly, remote staff should know how to confirm that a person who phones claiming to be from corporate IT is legitimate before providing any information.  

All organizations should evaluate the additional risks associated with processing payment data in unsecured locations and implement controls accordingly. All staff should be made fully aware of the risks related to remote working and what is required to maintain the ongoing security of systems, processes, and equipment supporting the secure access and processing of payment card data. 

Where do I find more information? 

For more information about securing remote access please check out PCI SSC resources: 

Protecting Payments While Working Remotely