Due to the COVID-19 pandemic, the company’s employees, contractors, vendors, business partners, and other roles involved in PCI DSS activities began accessing remotely, changing the way they connect to the Cardholder Data Environment (CDE) to do their jobs.
Employees now make remote access connections using home connections, in some cases using non-corporate computers, exposing organizations to attack vectors that do not exist when these connections are made locally.
The remote connection of employees to the cardholder data environment has forced many companies to implement continuity plans for remote connection scenarios. It also enabled testing of PCI DSS 12.10 requirement, which requires an incident response plan that includes business disaster recovery and business continuity actions.
Below you can find the PCI DSS controls applied to all remote connections to the CDE, based on the overall network architecture. You can find information to help minimize the risk that remote connections pose to the Cardholder Data Environment, prevent weakening of the PCI compliance environment, and ensure that remote connections meet PCI DSS requirements.
If we look at the PCI scope for remote accesses to the CDE side, we can draw the following conclusions:
- A network segment containing entities that process, store or transmit payment card data, namely the Cardholder Data Environment (CDE), is fully covered for all applicable PCI DSS requirements.
- A network segment containing various attached assets or that could affect the security of the CDE, including a bypass server, is fully covered for all applicable PCI DSS requirements.
- A home network that includes a workstation with administrative access to the cardholder data environment is fully covered for all applicable PCI DSS requirements.
Platforms that provide remote connections such as virtual private network connections such as IPSEC/TLS VPN, virtual desktop infrastructure (VDI), remote desktop services (RDS), and workstations connecting remotely to the environment must comply with the following PCI DSS requirements.
Are There Different Security Process Evaluations in Remote Accesses?
Methods of maintaining and ensuring the effectiveness of secure processes and controls may need to be implemented differently between onsite and remote environments. For example, authenticating a user calling IT for support may involve different steps because the user and IT department are in other locations.
All personnel should be trained to be aware of potential phishing calls. IT teams must be prepared to detect fraudulent calls from individuals claiming to be remote users. When calling IT for remote support, personnel must be able to verify their identity.
Similarly, remote personnel should know how to confirm that a person claiming to be from corporate IT is legitimate before providing any information.
You should assess the additional risks associated with processing payment data in unsafe locations and apply controls accordingly. All personnel should be fully briefed on the risks associated with working remotely and what is required to ensure the ongoing security of systems, processes, and equipment that support the secure access and processing of payment card data.
Your organization’s security processes should be kept up to date and prepared for any threats that may originate in remote environments. It is also critical to use technologies that ensure payment data security and allow remote personnel to perform their jobs securely when supporting remote work environments.
As with anything, employees are your first line of defense, and remote staff may not be familiar with the organization’s remote working policies and processes. All employees should receive security awareness training that emphasizes the importance of data security and become acquainted with your organization’s security policies and procedures that apply to remote working.
For example, policies and procedures should explicitly prohibit the unauthorized copying, movement, sharing, or storage of payment card data in remote environments. Remote personnel also need to be aware of their physical surroundings, preventing sensitive information from being viewed by unauthorized persons.
Below are the various security requirements that must be implemented to protect remote workers and their environments as specified by PCI DSS:
- For all remote network access from outside the corporate network, use multi-factor authentication.
- Enforce a strong password policy wherever passwords are used.
- Allowing the use of shared passwords is not permitted.
- Educate staff on the importance of protecting their passwords and other authentication information from unauthorized access.
- Ensure that all systems used by remote personnel have up-to-date patches, anti-malware, and firewall functionality to protect against internet-based threats.
- Uninstall or disable unnecessary applications and software to reduce the attack surface of computers and laptops.
- Implement access controls to ensure that only people who need access to the cardholder data environment (CDE) or cardholder data do so.
- Use only secure, encrypted communications to protect all transmissions to or from a remote device that contain sensitive information such as cardholder data.
- Automatically disconnect remote access sessions after a period of inactivity to prevent idle, open connections from being used for unauthorized access.
- Only those who require jobs should have access to system components and cardholder data.
- Check that incident response plans are up to date and that key personnel has the correct contact information.
What Are the PCI DSS Remote Access Requirements?
Creating and maintaining a security culture within your organization is one of the most effective ways to reduce security risks. In addition, the physical environment in which an office worker or home worker receives card payments must be effectively monitored and access controlled. Limiting the exposure of payment data on your systems simplifies coverage and verification while decreasing the likelihood of being targeted by criminals.
It should be noted that remote access programs may be PCI compliant. However, login must be implemented securely using multiple authentication factors, the connection must be encrypted, and associated passwords must meet all requirements set by the PCI Data Security Standard.
The PCI DSS requirements that specifically apply to workstations remotely connected to the cardholder data medium are as follows:
Install personal firewall software on portable computing devices that access the CDE remotely.
PCI DSS requirement 1.4 requires you to install personal firewall software or equivalent functionality on any portable computing device that connects to the Internet outside the network, such as laptop computers used by employees and is also used to access the CDE. Firewall or equivalent configurations should include the following requirements:
- Specific configuration settings must be defined.
- A personal firewall or an application with equivalent functionality must be actively running.
- Users of portable computing devices must not modify a personal firewall or an application with equivalent functionality.
Monitor third-party remote accesses.
PCI DSS requirement 8.1.5 requires you to manage identities used by third parties to access, support, or maintain system components via remote access as follows:
- Remote connections should only be enabled for the required time and disabled when not in use.
- Remote connections must be monitored during use.
Use multi-factor authentication (MFA) controls.
PCI DSS requirement 8.3.2 requires you to use multi-factor authentication for all remote network access from outside the organization’s network, including user, administrator, and third-party access for support or maintenance.
Use unique credentials for each customer, valid only for service providers.
According to PCI DSS requirement 8.5.1, service providers with remote access to customer facilities for activities such as supporting POS systems or servers must use unique authentication information for each customer.
Establish usage policies for critical technologies, including remote access.
Under PCI DSS requirement 12.3, you must develop usage policies for critical technologies and define the correct use of these technologies, including:
- Explicit approval by authorized parties
- Authentication for the benefit of technology
- List of all such devices and personnel who have access
- A way to accurately and efficiently identify owner, contact information, and purpose
- Acceptable uses of technology
- Acceptable network locations for technologies
- List of company approved products
Automatically terminate remote access sessions after a specified time.
PCI DSS requirement 12.3.8 requires automatic disconnection of sessions for remote access technologies after a specified period of inactivity.
Use remote accesses for third parties only when necessary.
PCI DSS requirement 12.3.9 requires vendors and partners to enable remote access technologies only when needed by vendors and partners and be disabled immediately after use.
Prevent copying, moving, or storing card data when accessed remotely.
PCI DSS requirement 12.3.10 specifies that for personnel accessing cardholder data via remote access technologies, you prohibit copying, moving, and storing cardholder data to local hard drives and removable electronic media unless expressly authorized for a defined business need.
Where there is an authoritative business need, data should be protected by all applicable PCI DSS requirements as specified in the usage policies.
In addition to the PCI DSS extended access requirements outlined above, according to your company’s security strategy, you can use other threat defense tools such as data Loss Prevention (DLP), Host intrusion detection and prevention (IPS/IDS), and USB and removable device media management to improve your security level.
You can also read the PCI Security Standards Council’s (PCI SSC) documents that help maintain security in remote access connections: