The recent health crisis has led many organizations to modify payment processes and related PCI compliance activities, upping their cybersecurity risk. Consider these five actions to help your organization successfully maintain and attest to PCI-DSS compliance during, and after, the COVID-19 pandemic.
Consider the following five actions to help your organization maintain and attest to compliance during and after the COVID-19 pandemic.
1. Assess the risk of significant changes to your environment.
It’s safe to say one or many — maybe even all — of your organization’s payment channels have changed as a result of the COVID-19 pandemic. Maybe you moved your customer service representatives to work-from-home arrangements, in line with your business continuity plan, which means your organization can still take payment cards over the phone. Maybe you implemented a new VPN solution to allow those users to access payment applications within your data center to process payments. Or maybe you hired a service provider to assist in setting these things up or even outsourced the taking of payment cards completely.
Deploying business continuity plans such as these could constitute a significant change to your cardholder data environment (CDE), and you must continue to be aware of and follow specific PCI requirements to ensure you’re not exposing your organization’s CDE to unnecessary risk.
Ask the following critical questions:
- Did your organization perform a proper risk assessment to understand the risks associated with any changes to your payment processes? Extending the CDE to remote locations, for example, introduces unique risks. This is likely to constitute a significant change and require you to revisit PCI compliance implications.
- When your organization made changes, did you confirm PCI-DSS requirements were implemented on the new processes? For example, when migrating to a work-from-home environment, did you: update network and dataflow diagrams, harden remote computers per configuration standards, or provide security training related to the new processes.
- Did you validate the security of your new system and any network segmentation that was implemented? Perform vulnerability scanning and penetration testing where applicable to ensure the changes made haven’t introduced any unnecessary risks into your environment.
- Did you discontinue old payment processes and remove access for users who no longer need it? Unused systems shouldn’t be left open for potential exploit while your focus is on operating during a crisis.
- Did your organization consult with a qualified security assessor (QSA) or other applicable stakeholders, such as brands or acquirers? It’s important to do so if you’re uncertain about the implications of any change to your CDE and need additional guidance.
2. Continue to fulfill periodic controls for compliance.
Though PCI is a point-in-time assessment, several specific compliance requirements are periodic in nature and need to be operating for the entire compliance year leading up to your annual PCI DSS assessment. During this time of shelter-in-place orders, don’t count on a free pass for PCI compliance requirements due to business constraints. The focus may be on COVID-19, but you still need to perform your periodic security controls if you want to maintain PCI-DSS compliance.
During this time of shelter-in-place orders, don’t count on a free pass for PCI compliance requirements due to business constraints.
It’s also important to ensure you’ve updated controls based on any changes that may have occurred to your environment. Take our customer service work-from-home scenario above: Did your organization update processes to perform semiannual reviews of firewall configuration to account for a newly installed VPN? Has your organization ensured you’re promptly removing users who don’t require access to the system anymore?
Finally, remind control owners that those controls must be appropriately updated to reflect changes in your environment and must operate effectively during your compliance cycle.
3. Create contingencies for your assessment process.
Performing on-site assessments may be difficult due to remote payment processes or impossible with travel restrictions and stay-at-home orders. The PCI Security Standards Council (SSC) has provided guidance on remote assessments but falls back to previous guidance that QSA companies and employees must be on site at assessed entities during a PCI-DSS assessment.
The guidance on remote assessment does provide for exceptions — such as travel bans and shelter-in-place orders — as long as your QSA can sufficiently document and defend the testing approach with each applicable control that requires observation for validation. Your organization will need to proactively work with your QSA to ensure a remote assessment is possible. And it’s important to discuss expectations with applicable stakeholders and get formal confirmation of your annual PCI assessment plan.
Your organization will need to proactively work with your QSA to ensure a remote assessment is possible.
Finally, you’ll need to consider whether additional assessment activities will be required if your assessment was performed while your organization was operating in a time of crisis. You’ll need to ensure all applicable environments are assessed as part of your annual attestation process.
4. Plan your return to business as usual.
Your business will return to a normal state, or at least a new normal. It’s important to plan proactively, including for taking in-person payments again. Ask the following questions:
- Did we start any new payment processes during the pandemic that will now become business as usual?
- Will we need to train or brief employees on any compliance-related concerns or processes around returning to business as usual?
- What’s our plan for decommissioning any disaster recovery equipment sites created to facilitate payment continuity during the pandemic?
- Do we have a plan in place to securely delete or migrate stored cardholder data to our usual CDE?
5. Take good notes, and be prepared for next time.
The current pandemic is unprecedented — make sure you’re taking notes. Even if your organization had a pandemic plan (if you’re like most, you probably didn’t), it may have been dated and not relevant for today’s technology landscape. Use the lessons learned from the current health crisis to consider how, in future crises, you can more smoothly execute your business continuity while also maintaining and attesting to PCI compliance. In fact, specific PCI requirements exist for how to implement what you’ve learned into your incident response plan. Your takeaways from the COVID-19 pandemic will comprise an important part of the evidence you’ll show your auditor come your next PCI-DSS assessment.
Specific PCI requirements exist for how to implement what you’ve learned into your incident response plan.
As you think about continuing to respond to the COVID-19 crisis and prepare to resume operations in a post-crisis new normal, remember: It won’t happen at the flip of a switch. As you begin the transition, you’ll need to look back and address changes made during the crisis. Don’t risk long-term, negative impacts of some of those decisions — decisions that may have enabled business continuity but that now can put the security of cardholder data or your PCI compliance status at risk.
Our cybersecurity and COVID-19: Near-term steps to respond, restart, and be ready guide will help you manage the crisis. As always, if you have any questions, feel free to contact us anytime.