COVID-19 has caused more employees to work remotely or at home, presenting cybersecurity challenges to organizations in the payments industry.  PCI Security Standards Council has issued best practices to secure and protect telephone based payment card data while working remotely. These best practices include:

  • Train staff.  Ensure any systems that remote workers use to process or access account data are secured and not accessible to unauthorized third parties.  By implementing a security awareness program, staff can be made aware of the risks of working remotely and learn how to maintain security when processing telephone-based payment card data.
  • Control access to payment card data.  The physical environment staff use to take card payments should be controlled.  Remote workers can use a multi-factor authentication process when connecting to any system that processes account data, restrict access to media (for example call recordings) that contain payment card data and shred any hard copy paper that they use to print or write payment card data on, among other things.
  • Use adequate technology.  Hardware in remote work environments should include the latest approved security patches, adequate firewalls and approved, updated virus-protection software.

For more information on the above and other best practices, see PCI Security Standards Council’s Information Supplement “Protecting Telephone-Based Payment Card Data.”  Note the guidance states it does not replace or supersede any requirements in any PCI SSC Standard.