COVID-19 and PCI Compliance
In light of the current COVID-19 pandemic and urgency to setup employee offices at home for the foreseeable future, it is imperative no one lets their guard down. Security protections that have been put in place exist to provide a hedge between good and evil, trusted and untrusted. When we move employees to an untrusted place, such as a home office, we must either fortify the new location or leave what would otherwise be vulnerable services within the trusted environment. With PCI compliance, that is every bit the case. Fortunately, NISC's e-commerce solutions allow customers to make payments to those avenues without compromising your PCI compliance or their cardholder data (CHD). Directing customers to these solutions maintains continuity with already-in-place solutions and does not require you to compromise your PCI compliance or put extra strain on employees or your network. Even with setting up Verifone to connect to the office network to take payments, which keeps the computer network out of PCI scope, accepting a call over the phone means that phone system (Cell phone? Forwarded call? VOIP over VPN?) is in PCI scope, as is already often the case. The CHD is still transmitted over the phone which is then brought into PCI scope. If you decide to use a SmartHub CSR login or Virtual Terminal, the computer would be in PCI scope just as it would if you were in the office. Using remote desktop protocol (RDP) or a thin client like a Citrix workstation would help minimize exposure - but remember the potential for keyboard logging and even memory scraping would be a concern. Applicable PCI requirements are still in full effect. The following is from a respected PCI QSA who blogged [...]