Over the past few months, we’ve seen many businesses bring their employees back to the office after months (and months and months) of working from home (WFH). However, others are offering the option of a permanent WFH arrangement or a hybrid one that includes both WFH and working in the office. This sparks the question of whether PCI DSS requirements apply to WFH environments—a question addressed by the PCI Security Standards Council (PCI SSC) in a recent Guidance.
According to the Guidance, PCI DSS requirements “may apply to WFH environments in different ways, depending on the entity’s business and security needs and how (it) has configured (its) infrastructure to support personnel working from home.” Job functions performed by individual employees may also have some bearing on how PCI DSS applies—for instance, “whether an individual requires access to payment card account data or the entity’s cardholder data environment (CDE)k, and the type of access required.”
Here’s the rest of what PCI SSC had to say about the PCI DSS and WFH.
Networks and Network Support
PCI SSC noted that some entities might elect to support WFH environments as an extension of their network, for example, by furnishing employees with networking equipment to use in their WFH space and managing that equipment. In this scenario, employees should be required to secure their WFH network and environment following PCI DSS requirements. Entities might choose this path if employees perform tasks considered “high risk,” for example, handling sensitive security functions or accessing highly confidential information from their home network.
Ensuring a secure connection between methods used by WFH employees and entities’ network is equally critical. But because home networks usually fall outside entities’ ability to control, and the security of these networks cannot be verified, WFH networks may be considered untrusted networks. In this case, the WFH network also is excluded from the business’ PCI DSS scope—and entities should, in turn, define secure processes for remote personnel to follow and secure the systems utilized by these employees when working from home.
Additionally, the guidance stipulates that any system used to access account data or entities’ CDE should be secured and managed with all applicable PCI DSS controls. This means, for instance, configuring systems per entities’ security configuration standards and protecting systems from untrusted networks via firewalls, up-to-date patches, and anti-malware.
Policies and Procedures
On the policies and procedures front, organizations are instructed to set WFH security policies and procedures. These policies and procedures should mandate that employees limit access to cardholder data within the WFH environment by locking computers’ screens when walking away from them and securely storing paper copies of cardholder data.
Strict adherence to employers’ policies for securing the network and computer equipment used at home for work-related purposes should also be required. So, too, should prohibitions against unauthorized copying, movement, or storage of account data onto local hard drives and removable electronic media.
The PCI SSC also noted in the Guidance that entities should evaluate any additional risks presented by processing payment data in unsecured locations and set up controls accordingly. Personnel should be informed of the risks associated with working remotely and of what is required to consistently maintain the security of systems, processes, and equipment, with the objective of supporting secure access to and processing of payment card data.