PCI DSSRemote Working: Adapting Payment Security to the New Norm
Alexander Norell writes that in the period of lockdown more businesses are operating remotely. Employees of banks and call centres are now handling more sensitive data remotely and it is likely to be the new norm. How can they ensure the data is protected?
With remote working now the new norm and with many businesses planning to continue with this new operational approach as they see the efficiency benefits, it’s important that companies adapt their security practices to protect payment card data.
The threat to data security and the General Data Protection Regulation (GDPR) has never been greater in this period of lockdown. Data is continuing to move beyond the perimeter and out of the control of the organisation. Employees are accessing sensitive data from home PCs, inadvertently writing down data hardcopy or electronic media and using public networks. Staff are working longer hours, not always able to focus on their security responsibilities. Some businesses are releasing buildings and will not have premises to go back to.
Companies are having to increase their IT investment, at least in the short term with new PCs, VPN solutions, additional licences. And they are having to get used to new methods of communication such as video platforms whilst operating in a secure environment. Access policies are critical.
In fact, the same threats now apply, but across a much wider surface. Whereas most of the assets used to be protected by corporate and enterprise level security controls, we are now seeing the endpoints being exposed by remote workers.
- Plan your incident response — The proactive organisations are viewing COVID-19 as an incident and planning incidence response strategies working with their QSA companies.
- Additional security measures — As business processes continue to change its important to add additional security steps. Enable multi factor authentication and DLP encryption. Additional controls need to be documented. Monitor your data exfiltration points.
- Define your business reopening strategy — Look at where you people will be working. We are talking to organisations planning to have only 25% of the workforce back in the office by December. The PCI Council will also make changes to evidence gathering.
- Make your staff aware of the threats — Hold regular training sessions. Malware and threat actors are the same and there will be more fake sites and phishing emails. Remind your staff to not connect through public Wi-Fi and to change their default router passwords.
- Keep a close eye on your IT and security budget — For many businesses, revenue loss will continue to be a reality. Some companies are reporting 40% losses. It’s important to ensure that your suppliers are helping you make the best use of your IT investment to ensure operational security.
Cyber and risk protection is the first line of defence for organisations just as our health service is for our workforce. Talk to your Qualified Security Assessor (QSA) company. They understand the increased external and internal threats to a company’s security as criminals continue to target the industry and remote working remains.
Data will continue to move outside the perimeter of a company. The businesses that adapt to the changes will be the forerunners in the economy and the ones that will be ready for further changes to standards from the PCI Council.
We are helping to prepare our customers, getting them to think about what’s next for the economy and what’s next for PCI planning.
The role of the CISO won’t change fundamentally, but they will need to take a different approach. There will be a greater focus on crisis management, making the best use of IT and Security investment. More security controls will certainly need to be put in place.
_______________________
SecureTrust, a Sysnet company, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
_______________________
Alexander Norell leads the delivery of compliance and risk services in EMEA. He is responsible for managing the teams that deliver compliance assessments, privacy engagements, information security consulting, IT governance consulting, risk assessments. Alexander also works with a number of multinational retailers, payment processors, acquirers and other service providers to help them become and maintain PCI DSS compliance.
He actively works as a P2PE PA QSA and PA-QSA and as such he performs application security assessment on applications that need to be validated to P2PE and PA-DSS. Alexander joined Trustwave in 2007, and has been a part of the EMEA management team since 2009.