How to keep your business secure outside of your usual workplace
Jeremy King, Regional Head for Europe, PCI Security Standards Council
-
Our blog post https://blog.pcisecuritystandards.org/remote-assessments-and-the-coronavirus details how a remote assessment can be undertaken.
-
In general the first we see that cardholder data has been stolen is that the card brands detect fraudulent use of the card data. Depending upon where the data is stolen, criminals will either use the data to perform a Card Not Present fraud and use the stolen data to purchase items online, or can use the cardholder data to create a copy card used for transactions. These days the criminals that steal the data will most often sell the data on a dark web site, making it more difficult to trace and tackle the criminal that actually stole the data in the first place.
-
PCI Security Standards Council (PCI SSC) are busy reviewing and updating the PCI DSS following the first RFC. This process has been impacted by the travel restrictions preventing several face to face meetings where comments would have been reviewed. The process is continuing, but remotely which has slowed the review process somewhat. We are still committed to release a second RFC this year, most likely end quarter 3, early quarter 4. We will of course provide lots of notification as to when that will be.
-
Multi factor authentication is the best way for online connectivity. For calls having an agreed word of the day, or using something that is known to you such as your employee number would also help. But be aware of criminals calling you and prompting you for your number. It does not work that way, anyone from the company calling you should already be in possession of that data and you should be asking them for it to confirm their identity.
-
No, it’s a global issue. However the problem is you would not necessarily know where it was coming from, especially if the email address indicates it was an internal email.
-
Removing cardholder data from the remote working environment is, where possible, a very good step to take.
-
It is not the intention of the council to move the PA-DSS deadline, nor extend the deadline of applications that have just or are about to expire. Should that situation change we will ensure everyone is informed.
-
Unfortunately given the timing, and internal processes to set up a SIG it is not possible to achieve this in a short timeframe.
-
The rational for pushing back the end of approval for v3 terminals was to relieve an issue relating to delivery and shipment problems caused by COVID-19 of the v3 terminals for final shipments and installation. It is not expected at this time to move the end of approval date for later versions of PTS devices.
-
From a standards perspective we will monitor these against the long term impact of the COVID-19 pandemic, and make adjustments as necessary. Any changes will be well announced to our community.
-
We are currently planning for all of our conferences to continue in person. Those being LAF Sao Paulo August, Orlando USA September, Nice Europe October, Hanoi Asia November and Mumbai India December. If for any reason an event cannot proceed then we are also planning backups which could include online events. Please note our request for topics and speakers at these events is still open, if you have an idea or suitable topic for our community please visit our website (www.pcisecuritystandards.org) and submit by 1st May 2020.