How your Remote Workforce impacts PCI DSS Compliance

People, Processes, and Technology – Where does it start?

Issues arise for companies, particularly when remote endpoint visibility is limited due to technical factors and remote employees lack the necessary security training and awareness to work securely in a remote setting. Knowing and enforcing your remote employee’s job roles and data access, whether they are onsite or working from home, is critical.

Remote Endpoint Risk and Threats For PCI DSS

• No Anti-Virus or Signature-based A/V only running on the remote endpoints to detect malware, spyware, and adware

• Endpoint devices not hardened or managed in accordance with the company’s secure configuration standards

• Remote users are not aware of the company’s Acceptable Use policies and guidelines.

• Insufficient Security Awareness training

• No defined roles and responsibilities for the remote employees, restricting system and data-level access to only what is required

• Remote devices not centrally managed or updated with the latest vendor security patches

Where to begin in Securing your Remote Workforce For PCI DSS Requirements

• First, review your remote employee access roles assigned. Ensure that only those employees with a need to know can access cardholder or sensitive data.
• Engage your QSA to evaluate the endpoint configurations and review existing policies and procedures. This will ensure that all of the PCI requirements applicable to remote endpoints and processes are properly tested prior to releasing the devices to your corporate resources.
• There are a couple of ways to conduct remote testing and validation. This can be performed at the company’s Corporate office or remotely from the QSA location, which is likely more appropriate, given the issues we are currently facing with work-from-home enforcement. In this case, your QSA will work with you to ensure they are provided with the necessary tools for testing (eg. Telepresence and remote access tools).

PCI DSS Requirements In-scope for Remote Endpoint Devices

The following PCI Requirements in scope for testing include, but are not limited to:

• Data flow and network diagrams: PCI Requirement 1.1.2

o Network diagrams and data flow diagrams depicting the flow of cardholder data from the remote employee’s home network to the corporate network, along with a narrative to support the flow should be documented.

• Personal firewall on endpoints: PCI Requirement 1.4.

• • Remote endpoints must have a personal firewall installed and be actively running. The employees must not be able to alter their personal firewall settings.

• Hardening Configuration Standards (NIST, CIS, SANs, etc): PCI Requirement 2.1, 2.2, 2.3, 2.4

• Remote endpoints should be configured so that only necessary services, protocols, etc. are enabled. All vendor-supplied default accounts should be removed or disabled and default passwords must be changed.
• An inventory should be maintained of all remote end-point devices used by employees. The inventory should include the make/model of the device as well as the operating system and version installed on the device.

• Anti-Virus on remote endpoints: PCI Requirement 5.1, 5.2, 5.3, 5.4

• Remote endpoints that are commonly affected by malicious software must have an anti-virus solution deployed and must include the following:
• Be capable of detecting, removing, and protecting against all known types of malicious software.
• Be configured to perform automatic updates
• Be configured to perform period scans
• Cannot be disabled by the employee
• Anti-virus software log generation must be enabled and anti-virus logs must be retained for a minimum of 1 year.

• Patch Management: PCI Requirement 6.1, 6.2

o Remote endpoints must be updated with the latest critical security patches.

• Change Management: PCI Requirement 6.4

o Configuration changes made to remote endpoints must be approved and follow the company’s change control process.

• Identify and authenticate access to system components: PCI Requirements 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8

• • Employees must be assigned a unique user ID and a strong password for access to systems.
  • Generic and shared accounts should not be used.
  • Multi-factor authentication must be used for all remote access to the corporate network.

PCI DSS Remote Employee Policy and Procedures

• Ensuring that there are properly enforced policies and procedures with regards to an Acceptable Use Policy: PCI Requirements 12.3 (Usage policy), 12.6 (Security awareness training), 12.7 (background checks)

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We’re Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!