Covid-19: here to help

“PCI DSS compliance is not our primary concern… the primary concern is that you can continue to operate your business taking payments as required.

This guidance is to help you do that as securely as you can but be aware not all the following is in keeping with PCI DSS compliance requirements. These are interim measures in the current extraordinary circumstances. Therefore the guidance is temporary but we expect you to achieve full PCI DSS compliance as soon as is practical for your business to do so.”

I need to be able to take payments from home over the phone. How can I do this securely?

There are three aspects to doing this securely – People, Process and Technology. Let’s talk you through them one by one:

People - if you are sharing space with others in your household when taking payments over the phone, consider the following

• Avoid repeating your customer’s personal details, including card details, back to the caller when somebody can overhear your call.  
• If your call can be overheard, make sure you have told all others in your household that they must not write down or do anything else with the details they may hear.
•  If your customer’s personal details, including card details, are written or printed on paper, make sure you have told all others in your household that they must not remove, make copies of or do anything else with that information.:

Process – considerations to reduce the amount of cardholder data in your home environment:

• Process the payment immediately while on the phone with your customer.  This will avoid the need for you to write down your customer’s card details.
• If writing down the card details is unavoidable, make sure you redact (e.g. with black marker pen) or shred/destroy the paper the card security code is written on. You must not keep a copy of the card security code after you’ve processed the payment.
• Keep any papers, order forms, receipts, records, etc. that show the full card number away from anyone in the household who has no need to see that information. Put the papers away when you aren’t present, preferably locked away if this is possible.
• If you don’t have a business reason to retain papers, order forms, receipts, records, etc. that show the full card number, make sure you:
  • Securely dispose of the information as soon as you can. For example, cut up, shred or otherwise destroy the papers so the information cannot be recovered and misused
  • If you can’t dispose of the papers in their entirety, for example, because they are your order records, redact (e.g. with black marker pen) the long card number so at most only the first six and last four digits can be read
• Do not accept your customer’s card data via email or other messaging service or chat app;
  • Take the card details over the phone or if the customer is able to pay online, talk to Elavon on 1800 995 085 about using our Pay By Link solution to send your customer a link to a secure payment portal to make their payment.
  • If you inadvertently receive card data via email, remove it and let the sender know your preferred method to receive card details, i.e. via phone or mail.
• Avoid creating any electronic records or copies of your customer’s payment card data.

Technology – options to process a card payment at home.

Before Covid-19 cybersecurity experts would see attempted malware attacks on our data maybe twenty or thirty times a day. Since Covid-19, that’s risen – and sharply. In the space of just seven hours one firm – ESET – recorded 2,500 in under 7 hours as reported in Forbes. Cybercriminals, clearly more used to working from home than the majority of us, are keen to make the most of the opportunities our new working environments present. So Candice Pressinger, Elavon Europe’s Director of Customer Data Security, has some tips on how to keep your valuable data safe when operating your business outside your usual workplace:

• Data leakage and data loss: The risk isn’t just processing data right now – but also in the future. When this crisis is over, will you recall all the places you’ve saved data?
• If you’re working away from your usual workplace it’s more important than ever to make regular backups.
• It’s vital those back-ups are encrypted and stored somewhere requiring two-factor authentication (2FA) to access.
• Cloud storage or centralised storage that’s remotely accessible is preferable – such as Office 365 SharePoint.
• DropBox or GoogleDocs are options, but access controls should be applied for greatest protection. 
• Beware of phishing attacks: Fraudsters are making the most of people’s fears and concerns right now and ramping up the number of phishing emails – don’t click! Some of these include messages pretending to be from the World Health Organisation with life-saving advice or the government offering tax refunds during the pandemic.
• Insecure home WiFi networks: Bet when you installed your home WiFi you weren’t expecting to run your business using it? So make sure you are using WPA2 and that your networks are password-protected. Make sure you’re not still set-up with the default admin username and password! Even better would be to use a Virtual Private Network (VPN) where you can to connect between your home and business.
• Risks to business devices: Our mobile phones, laptops, tablets and the like are all potential weak spots in our security armour – ripe for unauthorised use or misuse. So make sure they are password protected, and – as ever - don’t share the password with anyone.
• Software and hardware vulnerabilities: Malwares and online threats are constantly evolving and growing ever more sophisticated, but so too is the protection against them. However, it only works if you keep your software and hardware updated. So make sure you’re allowing for security updates – OS patches/updates, anti-virus updates, updates to software. 

Our working – and home - environment is changing faster than ever before, and you are not alone in facing that. We’re here if you want advice. Email me at data-security@elavon.com or visit our dedicated pages at Elavon.ie/security

Download Infographic

My PCI DSS on-site assessment is due but my QSA cannot come to site due to COVID-19 risks to health and/or travel restrictions.  Can my QSA complete my compliance assessment remotely?

In short, yes – but additional steps must be taken to ensure the integrity of the assessment, and it may take longer as a result.

The PCI Security Standards Council (PCI SSC) has provided guidance to QSA Companies on performing remote assessments.  While on-site assessments are always expected, the Council has recognised that Coronavirus lockdown and social distancing may temporarily prevent an assessor from being able to travel to or carry-out an on-site assessment.

There are three main areas where remote assessments pose a challenge to the quality and integrity of compliance assessments:

• Physical Site Inspections
• "Over the Shoulder" Observations
• Resourcing/Scheduling 

For example, it may take longer to conduct the assessment remotely due to the need to gain additional assurance that controls are ‘in place’ and where personnel are not available due to self-isolation or illness.  Your QSA should have guidance for their customers and procedures in place to manage the risk for each of these particular areas of an assessment.

The Council’s guidance, also published on their website, allows QSAs to perform assessment remotely if:

• The need for remote assessment of PCI DSS controls is justifiable (as it is likely to be for assessments in most countries due to travel restrictions, hotel closures and social distancing rules.)
• The remote assessment methods available to and used by the QSA provide an equivalent level of assurance that controls are properly implemented and PCI DSS requirements are met.
• Measures are taken to ensure the integrity of the assessment. That is, the QSA makes sure the people interviewed and assets examined are the same as they would be if the assessment was on-site. For example by checking prior to commencing the testing procedures that the asset presented is the asset expected. In addition, the QSA should be the one selecting the systems sampled/examined not the assessed entity.

The QSA must then document in the Report on Compliance (ROC) why testing wasn’t performed on-site (whether the assessment was fully or partially remote) and explain the steps taken to ensure the remote testing provided an equivalent level of assurance. 

Measures might include:

• Using secured collaborative platforms (such as Microsoft Teams, WebEx, GoToMeeting, Zoom, etc.) to conduct remote interviews via video where possible.
• Where possible, conducting physical site reviews via real-time video observation (i.e. Skype, FaceTime, Microsoft Teams, etc.).

Collecting additional evidence to tie remote observations to the physical assets presented during the remote observation.