Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Because of the COVID-19 epidemic, the company's employees, contractors, business partners, vendors, and other roles involved in PCI DSS activities have had to change the way they connect to the Cardholder Data Environment (CDE) to do their job. Many of these connections are now made remotely, using employees' home connections and - in some cases - using non-corporate computers, exposing the organization to attack vectors that did not exist when these connections were made locally.
This situation has forced many companies to implement their continuity plans to ensure that operation continues under this exceptional scenario, testing the requirement 12.10 of PCI DSS, which requires the existence of an incident response plan that incorporates business recovery and continuity actions.
This article will list the PCI DSS controls that apply to all remote connections to the CDE, based on the following generic network architecture. It will help to minimize the risk these connections bring to the Cardholder Data Environment, avoid amplification of the compliance environment, and ensure that remote connections meet PCI DSS criteria:
It is assumed that the platform that enables remote connections (virtual private network connections (IPSEC/TLS VPN), virtual desktop infrastructure (VDI), remote desktop services (RDS), etc.) and the workstation connecting to the environment remotely is compliant with PCI DSS controls while in the compliance environment (In scope).1
The PCI DSS requirements that are exclusively applicable to workstations that connect remotely to the CDE are:
Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
Third-part remote access
Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:
Multi-factor authentication (MFA) controls
Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity's network.
Use of unique credentials by each customer (only applicable to service providers)
Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
Usage policies for critical technologies (including remote access)
Develop usage policies for critical technologies and define proper use of these technologies, including:
Automatic disconnection of remote access sessions
The automatic disconnect of sessions for remote-access technologies after a specific period of inactivity
Use of remote access for third parties only when necessary
Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after its usage.
No copying, moving or storing of card data when accessed remotely
For personnel accessing cardholder data via remote-access technologies, prohibit the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media unless explicitly authorized for a defined business need. Where there is an authorized business need, the usage policies must require the data to be protected per all applicable PCI DSS Requirements. .
However, additional security controls beyond PCI DSS can be deployed to improve the security levels of the remote workstation, such as Data Loss Prevention (DLP), Host DS/IPS, USB and removable device media management, and other threat defense tools, based on company's security strategy.
Besides, the PCI Security Standards Council (PCI SSC) has published the following documents to help merchants and service providers maintain the same levels of local (onsite) security on remote connections:
Finally, other organizations also have available material that may be useful in protecting teleworking connections or remote access:
As experienced security professionals, Advantio has the necessary expertise to help better secure your network.
I am the Senior Security Consultant in Advantio. I have more than 15 years of experience, working both in South America and Europe. My information security background includes consultancy and audit, training, implementation of security technologies and design and policy development among others.
Certifications: CISSP, CISM, CISA, CRISC, CEH, CHFI, PCI QSA, QSA (P2PE), 3DS Assessor