Aurora Payments Shares A Few Important Considerations For The Protection Of The Cardholder Data Environment (CDE)

The pandemic forced many companies to ask employees to work from home. Many companies extended flexibility to their work force with fully remote or partially remote options as the world returned to normalcy. With back-to-school season ramping up, it is likely that employees will opt to stay home with their younger children or make accommodations with their employer to stay home partially or entirely during the work week.

While this provides health protection for employees, it may also create concerns with PCI compliance if your employees are handling and processing credit cards from home. PCI regulations require merchants to continuously maintain their PCI compliance status. If there are significant changes made to the cardholder data environment, you should check to see how these changes might affect your PCI compliance status. 

Evaluate the Process

When employees must process credit cards from home, evaluate the process of how employees will collect and process the transaction. How is the credit card information received by employees? Is it being taken verbally over the phone or received in emails? Both of these push the envelope of the processing environment. Full credit card data is never to be written or printed. Once the credit card data is received, what does the employee do next to process the transaction? What devices and/or internet procedures are involved in the transmission of cardholder data? Does your employee use a firewall? It is important to note that any system involved in the storage, processing, or transmission of cardholder data becomes part of the CDE and must be deemed safe and within compliance requirements.

Office Rules Apply at Home

You likely have controls in place to within your office to manage your CDE and to protect cardholder data. Work-from-home scenarios should follow the same protocols used in the office. You can maintain security protocols by extending your business network via a VPN connection and providing company-owned mobile devices that can be managed remotely. 

Annual Compliance Assessment Issues

Working with credit cards from home can affect a merchant’s annual PCI DSS assessment. If you are a Level I or Level II merchant, you likely perform an annual assessment using a Self-Administered Risk Assessment program of have outside assistance. Keeping the assessment questions in mind, do you feel that employees handing cards from home are in compliance with PCI requirements? If you have any doubts, please contact Aurora Payments for a review of your procedures and CDE.

An important consideration is that PCI DSS requires that upon significant changes to the CDE, a merchant must verify that all relevant PCI DSS requirements have been implemented within the new environment. This includes updating all documentation such as policies and procedures. PCI DSS also requires that vulnerability scanning, penetration testing, and risk assessments be performed after a significant change to the CDE.

Now is the time to review what steps should be taking if you have had a significant change to your CDE, before you complete your annual assessment. Be sure you are familiar with applicable policies and keep documentation that can be shown that you took steps to maintain PCI policies and procedures were followed even when your employees worked from home.