How your Remote Workforce impacts PCI-DSS Compliance
PCI DSS Remote Employee Demand
Employees of companies of all sizes are now either required to shelter in place or State and Government lockdowns are forcing companies to require their employees to work remotely. Companies are working hard to ensure that the technologies provided to their remote employees enable them to be effective at their jobs, but how are they ensuring these remote systems, endpoints and environments are meeting security and compliance requirements? Attackers continue to have an ample amount of opportunity to gain access to compromised accounts, access less secure remote work environments, and expose or steal sensitive data.
People, Processes, and Technology – Where does it start?
Issues arise for companies, particularly when remote endpoint visibility is limited due to technical factors and remote employees lack the necessary security training and awareness to work securely in a remote setting. Knowing and enforcing your remote employee’s job roles and data access, whether they are onsite or working from home, is critical.
Remote Endpoint Risk and Threats For PCI DSS
• No Anti-Virus or Signature-based A/V only running on the remote endpoints to detect malware, spyware, and adware
• Endpoint devices not hardened or managed in accordance with the company’s secure configuration standards
• Remote users are not aware of the company’s Acceptable Use policies and guidelines.
• Insufficient Security Awareness training
• No defined roles and responsibilities for the remote employees, restricting system and data-level access to only what is required
• Remote devices not centrally managed or updated with the latest vendor security patches
Where to begin in Securing your Remote Workforce For PCI DSS Requirements
- First, review your remote employee access roles assigned. Ensure that only those employees with a need to know can access cardholder or sensitive data.
- Engage your QSA to evaluate the endpoint configurations and review existing policies and procedures. This will ensure that all of the PCI requirements applicable to remote endpoints and processes are properly tested prior to releasing the devices to your corporate resources.
- There are a couple of ways to conduct remote testing and validation. This can be performed at the company’s Corporate office or remotely from the QSA location, which is likely more appropriate, given the issues we are currently facing with work-from-home enforcement. In this case, your QSA will work with you to ensure they are provided with the necessary tools for testing (eg. Telepresence and remote access tools).
PCI DSS Requirements In-scope for Remote Endpoint Devices
The following PCI Requirements in scope for testing include, but are not limited to:
• Data flow and network diagrams: PCI Requirement 1.1.2
o Network diagrams and data flow diagrams depicting the flow of cardholder data from the remote employee’s home network to the corporate network, along with a narrative to support the flow should be documented.
• Personal firewall on endpoints: PCI Requirement 1.4.
- Remote endpoints must have a personal firewall installed and be actively running. The employees must not be able to alter their personal firewall settings.
• Hardening Configuration Standards (NIST, CIS, SANs, etc): PCI Requirement 2.1, 2.2, 2.3, 2.4
- Remote endpoints should be configured so that only necessary services, protocols, etc. are enabled. All vendor-supplied default accounts should be removed or disabled and default passwords must be changed.
- An inventory should be maintained of all remote end-point devices used by employees. The inventory should include the make/model of the device as well as the operating system and version installed on the device.
• Anti-Virus on remote endpoints: PCI Requirement 5.1, 5.2, 5.3, 5.4
- Remote endpoints that are commonly affected by malicious software must have an anti-virus solution deployed and must include the following:
- Be capable of detecting, removing, and protecting against all known types of malicious software.
- Be configured to perform automatic updates
- Be configured to perform period scans
- Cannot be disabled by the employee
- Anti-virus software log generation must be enabled and anti-virus logs must be retained for a minimum of 1 year.
• Patch Management: PCI Requirement 6.1, 6.2
o Remote endpoints must be updated with the latest critical security patches.
• Change Management: PCI Requirement 6.4
o Configuration changes made to remote endpoints must be approved and follow the company’s change control process.
• Identify and authenticate access to system components: PCI Requirements 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8
- Employees must be assigned a unique user ID and a strong password for access to systems.
- Generic and shared accounts should not be used.
- Multi-factor authentication must be used for all remote access to the corporate network.
PCI DSS Remote Employee Policy and Procedures
• Ensuring that there are properly enforced policies and procedures with regards to an Acceptable Use Policy: PCI Requirements 12.3 (Usage policy), 12.6 (Security awareness training), 12.7 (background checks)
Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
Share this post
Industry Leading Certified Experts
Subscribe To Our Newsletter & Stay Up-To-Date
Explore Our Blogs
Whitepaper | 10 min Read
Developing An Effective Compliance Program
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.
New Service Offering | Contact Us
Ransomware Preparedness Assessment
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems.
ResourceGuide | 8 min Read
Cybersecurity Roadmap For 2022
Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals.
We're Here To Help
We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services.
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.
Ransomware Assessment Preparedness
Cybersecurity Roadmap For 2022
Developing And Maintaining An Effective Compliance Program
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack?
A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business