‘On average only 28% of global organizations maintained full compliance with the PCI-DSS. Half of assessed organizations successfully test security systems and processes and unmonitored system access, and around two-thirds monitor access to business-critical systems effectively.’
– Verizon Business 2020 Payment Security Report
Right up to early 2020, remote work remained an elusive target for many companies even within the technology sector. The COVID-19 pandemic accelerated the adoption of remote work and organizations irrespective of their size and industry quickly realized that the work their employees have been performing on-site for quite some time can in fact be done remotely. Protecting customer data has always been a prime responsibility of the service provider. This has been a difficult task in on-site workplace settings and can be akin to a fast-moving target. With the current tectonic shift to a remote work environment, the compliance and risk management functions are being strained, as we adjust to this new normal. This issue amplified in the regulated industries such as financial services.
PCI-DSS (Payment Card Industry-Data Security Standard) has been the gold-standard industry-accepted standard for safeguarding customer financial data and is implemented in financial services organizations globally. Let’s dive into what this standard can offer to ease some of the chaos that is surrounding the organizations in the age of remote work.
What is PCI-DSS?
The PCI-DSS has a set of technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. The PCI-DSS applies to any entity that stores, processes, and/or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. If your business accepts or processes payment cards, it must comply with the PCI DSS. The PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards.
What are the primary goals of PCI-DSS?
The primary goals of PCI-DSS are to- Maintain an Information Security Policy, Protect Cardholder Data, Maintain a Vulnerability Management Program, Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and Build and Maintain a Secure Network
Does PCI-DSS apply to remote work environments?
Yes, the essential elements of PCI-DSS requirements also apply to remote work environments. Deploying business continuity plans in the pandemic situation could constitute a significant change to your cardholder data environment (CDE).
Where shall I start first during the current move to remote work environments?
Conduct a risk assessment. This will enable the organization to evaluate additional risks of processing of customer account data in unsecured locations. The prime focus of this activity is to assess the risk of significant changes to your environment. This step will also prompt you to reevaluate the controls that are currently in place.
Is conducting a risk assessment sufficient?
Though risk assessment is a key first step, the journey begins with it. Actively addressing the observations from the risk assessment is equally important. A comprehensive security awareness drive (PCI DSS Requirement 12.6-Security awareness program) is essential to reiterate the security culture of the organization and the mandatory security processes that are in place.
Would an update to security policy suffice or are there any technology items that need to be looked at?
Robust security is a function of people, process,es and technology as is the case with any information security framework or standard. The risk assessment should necessarily revisit all the requirements within the PCI-DSS standard. It is important to focus on quick wins such as invoking the MFA (multi-factor authentication) for both employees and customers. It is recommended that the organizations shall actively refrain from using SMS based MFA but should rather use an authenticator. Another key technology area of interest shall be logging and monitoring.
Is it necessary to review the asset inventory?
It is recommended that the organization shall take a detailed inventory of the updated environment. It would be great to have a deny be default as the watchword for network connections and access that originate from devices that are not a part of the corporate inventory of assets.
In these unprecedented times, there may be some slight deviations to the way security functions in my organization. As our PCI-DSS certification is current, we should be good. Right?
Talk with your QSA about how to manage exceptions and what is deemed an acceptable deviation.
As PCI-DSS is a point-in-time assessment, can I wait till the next audit activity to make necessary changes?
You must continue to fulfill periodic controls for PCI-DSS compliance. Please be advised that controls need to be operating for the entire compliance year leading up to your annual PCI DSS assessment.
What about the networks?
Make sure you have an up-to-date network map. During the internal risk assessment, it may be an eye-opener to unearth servers and systems that were not on the asset inventory. However, it may not look great to have them discovered during the external audit.
‘We never had security lapses and never will. Breaches happen only in the ‘other ‘companies. Why do we need to listen to this’?
If stats are of help, 86% of data breaches in 2019 were financially motivated and in the retail vertical, 99% of security incidents related to the acquisition of payment data by attackers, according to the most recent Verizon Data Breach Investigations Report.
To learn more about how Kuma can assist you in your PCI-DSS compliance journey, reach out to us: info@kuma.pro.