How your Remote Workforce impacts PCI DSS Compliance

February 3, 2025

Employees of companies of all sizes are now either required to shelter in place or State and Government lockdowns are forcing companies to require their employees to work remotely. Companies are working hard to ensure that the technologies provided to their remote employees enable them to be effective at their jobs, but how are they ensuring these remote systems, endpoints and environments are meeting security and compliance requirements? Attackers continue to have an ample amount of opportunity to gain access to compromised accounts, access less secure remote work environments, and expose or steal sensitive data.

People, Processes, and Technology – Where does it start?

Issues arise for companies, particularly when remote endpoint visibility is limited due to technical factors and remote employees lack the necessary security training and awareness to work securely in a remote setting. Knowing and enforcing your remote employee’s job roles and data access, whether they are onsite or working from home, is critical.

Remote Endpoint Risk and Threats For PCI DSS

• No Anti-Virus or Signature-based A/V only running on the remote endpoints to detect malware, spyware, and adware

• Endpoint devices not hardened or managed in accordance with the company’s secure configuration standards

• Remote users are not aware of the company’s Acceptable Use policies and guidelines.

• Insufficient Security Awareness training

• No defined roles and responsibilities for the remote employees, restricting system and data-level access to only what is required

• Remote devices not centrally managed or updated with the latest vendor security patches

Where to begin in Securing your Remote Workforce For PCI DSS Requirements

First, review your remote employee access roles assigned. Ensure that only those employees with a need to know can access cardholder or sensitive data.
Engage your QSA to evaluate the endpoint configurations and review existing policies and procedures. This will ensure that all of the PCI requirements applicable to remote endpoints and processes are properly tested prior to releasing the devices to your corporate resources.
There are a couple of ways to conduct remote testing and validation. This can be performed at the company’s Corporate office or remotely from the QSA location, which is likely more appropriate, given the issues we are currently facing with work-from-home enforcement. In this case, your QSA will work with you to ensure they are provided with the necessary tools for testing (eg. Telepresence and remote access tools).

PCI DSS Requirements In-scope for Remote Endpoint Devices

The following PCI Requirements in scope for testing include, but are not limited to:

• Data flow and network diagrams: PCI Requirement 1.1.2

o Network diagrams and data flow diagrams depicting the flow of cardholder data from the remote employee’s home network to the corporate network, along with a narrative to support the flow should be documented.

• Personal firewall on endpoints: PCI Requirement 1.4.

- Remote endpoints must have a personal firewall installed and be actively running. The employees must not be able to alter their personal firewall settings.

• Hardening Configuration Standards (NIST, CIS, SANs, etc): PCI Requirement 2.1, 2.2, 2.3, 2.4

Remote endpoints should be configured so that only necessary services, protocols, etc. are enabled. All vendor-supplied default accounts should be removed or disabled and default passwords must be changed.
An inventory should be maintained of all remote end-point devices used by employees. The inventory should include the make/model of the device as well as the operating system and version installed on the device.

• Anti-Virus on remote endpoints: PCI Requirement 5.1, 5.2, 5.3, 5.4

Remote endpoints that are commonly affected by malicious software must have an anti-virus solution deployed and must include the following:
Be capable of detecting, removing, and protecting against all known types of malicious software.
Be configured to perform automatic updates
Be configured to perform period scans
Cannot be disabled by the employee
Anti-virus software log generation must be enabled and anti-virus logs must be retained for a minimum of 1 year.

• Patch Management: PCI Requirement 6.1, 6.2

o Remote endpoints must be updated with the latest critical security patches.

• Change Management: PCI Requirement 6.4

o Configuration changes made to remote endpoints must be approved and follow the company’s change control process.

• Identify and authenticate access to system components: PCI Requirements 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8

- Employees must be assigned a unique user ID and a strong password for access to systems.
- Generic and shared accounts should not be used.
- Multi-factor authentication must be used for all remote access to the corporate network.

PCI DSS Remote Employee Policy and Procedures

• Ensuring that there are properly enforced policies and procedures with regards to an Acceptable Use Policy: PCI Requirements 12.3 (Usage policy), 12.6 (Security awareness training), 12.7 (background checks)

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We’re Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Subscribe to Our Newsletter

(2)

Cloud Security

(1)

Compliance and Regulations

(3)

Employee Spotlight

(1)

Managed Security

(1)

Network Security

(1)

PCI Compliance

(3)

Penetration Testing

(1)

Security & Compliance

(58)

Security Operations

(1)

ON WATCH, ALL THE TIME

P2PE vs E2EE: Common Pitfalls and Deployments

Point-to-Point Encryption (P2PE) in the payment card industry involves deploying a recognized solution by the PCI council, where hardware, processes, and technology undergo rigorous testing against the current P2PE Standard v3.1 or earlier versions. The P2PE standard combines a recognized and certified PTS device with software and encryption methods to allow cardholder data to be encrypted upon swipe and transmitted encrypted throughout the merchant environment until decrypted within a decryption environment, inaccessible to the merchant.

2025 PCI Compliance Checklist

In today’s rapidly evolving cybersecurity landscape, achieving and maintaining PCI compliance is more critical than ever. With the latest update to PCI DSS 4.0.1, businesses must adapt to meet new standards designed to enhance security and flexibility. This updated PCI Compliance Checklist outlines the essential steps for staying compliant while optimizing your organization’s security posture.

PCI Data Security Standard Myths

As with many things in popular culture, the PCI Data Security Standard (PCI DSS) has many myths associated with it. The PCI DSS has existed for many years and despite the efforts of the PCI Security Standards Council (PCI SSC) and industry experts, many misconceptions and myths persist. Below we will cover some common PCI DSS myths vs. the reality.

Understanding Scope for PCI DSS

Get Prepared For PCI DSS v4.0

The PCI DSS standard is largely responsible for dictating the way organizations all over the world approach cybersecurity and the protection of credit card data. As v4.0 of the standard approaches, organizations should aim to identify and plan updates for the aspects of their security and compliance programs that are most likely to be affected.