It goes without saying that the outbreak of COVID-19 has had numerous impacts on “business as usual.” The growing adoption of work from home (WFH) during the pandemic has introduced unique challenges to many organizations’ IT footprint. This new IT landscape could have real impact on an organization’s PCI scope and compliance obligations, depending on the nature of its business and interaction with cardholder data (CHD). Any organization attesting to PCI compliance needs to consider the impact that remote employees may have on its own PCI scope. The first (and obvious) question to ask is –

Are my WFH employees interacting with cardholder data on any level?

If the answer to that question is yes, the following is a list of items to consider for your WFH employees.

  •  Methods in how employees are accessing resources and/or tools to interact with CHD.

Employees working from home should be instructed to only access company resources via company-issued and approved hardware. Technical restrictions to enforce this control should be implemented as WFH is normalized and becomes an adopted practice. Examples of these technical controls include VPN “HIP” (host integrity protection) checks, domain / mdm policy restrictions, IP whitelisting, etc. By enforcing the use of company issued hardware, an entity can ensure all endpoints used to access its environment are under the umbrella of its tools, configurations and processes used to help secure the device. 

  •  Local home networks used to connect employee endpoints to the internet and / or company remote access services.

PCI scope is defined as “the system components that store, process or transmit cardholder data, systems that are connected to the systems that store, process or transmit cardholder data and / or systems that can affect the security of the systems that store, process or transmit cardholder data.” Thus if an employee has a device directly interacting with cardholder data, this machine is considered in scope as a CDE device and can bring other devices connected on the same network into scope. This poses problems in a WFH environment as the employee is likely connecting to the Internet from a simple home network with other devices around the house on the same network. By definition these other devices on the home network would now be in scope for the entity’s PCI compliance. To avoid this, an entity could implement host-based firewalls and/or site to site VPNs.

  •  Physical security of the WFH environment.

The PCI Council has provided the following guidance for addressing the physical security of a WFH environment –  

“Restrict physical access to media containing payment card data, such as call or screen recordings, as well as networking/communications hardware.”

“Particular attention must be given to home workers. Some of the examples of controls may be difficult to implement. Organizations should evaluate the additional risks associated with processing account data in unsecured locations and implement controls accordingly. All staff should be made fully aware of the risks related to remote or home-working and what should be required to maintain the ongoing security of systems, processes, and equipment supporting the processing of telephone-based payment card data.”

These topics are only some of the items that should be taken into consideration for the emerging WFH environment and the employees working within. Additional items might need to be considered depending on the nature of an entity’s interaction with cardholder data and the devices used within these environments. Whenever in doubt, always look to consult with your QSA and / or acquirer. All organizations should ensure that employees have been educated on updated policies and the risks posed by the adoption of working from home.

Additional guidance can be found here:

Join the Cadence Team

We take great pride in offering a large degree of flexibility to our employees by hiring independent professionals who can manage themselves.

View Open Positions