COVID-19 and PCI Compliance - National Information Solutions Cooperative (NISC)

COVID-19 and PCI Compliance

In light of the current COVID-19 pandemic and urgency to setup employee offices at home for the foreseeable future, it is imperative no one lets their guard down. Security protections that have been put in place exist to provide a hedge between good and evil, trusted and untrusted. When we move employees to an untrusted place, such as a home office, we must either fortify the new location or leave what would otherwise be vulnerable services within the trusted environment. With PCI compliance, that is every bit the case.

Fortunately, NISC’s e-commerce solutions allow customers to make payments to those avenues without compromising your PCI compliance or their cardholder data (CHD). Directing customers to these solutions maintains continuity with already-in-place solutions and does not require you to compromise your PCI compliance or put extra strain on employees or your network.

Even with setting up Verifone to connect to the office network to take payments, which keeps the computer network out of PCI scope, accepting a call over the phone means that phone system (Cell phone? Forwarded call? VOIP over VPN?) is in PCI scope, as is already often the case. The CHD is still transmitted over the phone which is then brought into PCI scope. If you decide to use a SmartHub CSR login or Virtual Terminal, the computer would be in PCI scope just as it would if you were in the office. Using remote desktop protocol (RDP) or a thin client like a Citrix workstation would help minimize exposure – but remember the potential for keyboard logging and even memory scraping would be a concern. Applicable PCI requirements are still in full effect. The following is from a respected PCI QSA who blogged about this very topic (Work From Home PCI Considerations):

“As a result, bring your own device (BYOD) is the only answer in the near term to getting people working from home. In discussions not only amongst the Dream Team but with other QSAs, there just do not seem to be any good answers for using BYOD and maintaining PCI compliance. None of us can come up with ways to maintain compliance with BYOD because there are just too many factors involved from anti-virus (many varieties), limited or non-existent central monitoring and management, vulnerability scanning, penetration testing, patching, differing hardware, differing operating systems and a host of other issues that make it impossible to verify compliance let alone maintain compliance.”

Given the above, directing your customers to NISC’s e-commerce solutions is unquestionably the most secure and least disruptive way for your customers to make a payment. NISC’s e-commerce solutions include CallCapture Secure Payments IVR, SmartHub Web/Mobile, PayNow, and QDS EBPP Ebill Web. Third-party solutions include US Payments kiosks and CRC. If you have one or more of these already set up, there is no change for you or for your customers. If you have questions about setting one or more of these up, reach out to your CC&B Payments team.

We are continually looking at suggestions on what more can be done, as well. Stay tuned soon for an information hub with answers and solutions to common questions our Members are asking during these unprecedented times.