The Challenge to Remain PCI & NIST Compliant During the Shift to Remote Work

The Challenge to Remain PCI & NIST Compliant During the Shift to Remote Work

Andrew Douthwaite

May 14, 2020

Last updated August 18, 2022

Summary:

  • PCI (payment card industry) compliance is required to keep credit card transactions safe for processors. It’s requirements include multi-factor authentication, strong password policies, regular security updates, implementing access controls, and more.
  • NIST (the National Institute of Standards and Technology) has specific guidelines for remote workers, including policies for accessing company resources with personal devices, setting up secure home networks, improving endpoint security, and more.
  • Organizations should take steps to comply with both PCI and NIST so that their cybersecurity posture can accommodate remote work responsibly.

Recent events have required many companies to redirect a significant amount of their labor force from an onsite setting to working from home. This sudden shift in company resources and personnel caught many businesses off-guard, requiring a chaotic scramble to reorient their necessary technologies and staff. However, the aftermath of that tumultuous period now leaves companies wondering where to begin on repairing their new or existing security and compliance policies.

To help you safeguard your organization’s digital assets, here are a few things you should consider as your workforce shifts to remote work.

See also:

Remote Work Brings Unique Cyber Threats

While your head office or other worksites may have robust safeguards in place, your employees may not be so well situated at home. Recent events have demonstrated the power of remote workforces, but these BYOD systems do not come without risks.

Shifting to remote work, particularly if the shift is sudden, can bring with it associated costs and infrastructure changes. However, organizations must work to ensure they remain both NIST and PCI compliant, even when planning and implementation time is short.

Remaining PCI Compliant


PCI (Payment Card Industry) compliance is mandated by credit card companies and consists of a set of rules that are designed to safeguard credit card transactions from a processor standpoint. A sudden shift to remote work can disrupt many established practices, so organizations need to be vigilant and ensure new work arrangements and processes remain compliant.

PCI DSS mandates several security requirements that are designed to protect remote workers and their environments. These include:

  • Requiring the use of multi-factor authentication by all remote network access users who are currently located outside the company’s network.
  • Enforcing strong password policies that prohibit the use of shared passwords. Workers should also be taught why safeguarding their passwords and other authentication credentials from unauthorized users are critical from a cybersecurity standpoint.
  • Requiring all systems used by remote staff to be kept up to date by downloading security patches as they are released, installing anti-malware protection software, and insisting on robust firewalls to defend the network from external, internet-based threats.
  • Having workers uninstall or disable any applications and software on their devices that are not required. This reduces the attack surface for both computers and laptops. However, this may not be possible if your organization relies on employees using their own devices (a BYOD policy) as opposed to company issued computers and laptops.
  • Implementing access controls so that only individuals who need to access the cardholder data environment (CDE), cardholder data, and related system components to do their job are able to access those resources.
  • Providing workers with secure, encrypted forms of communication (such as VPNs) to ensure that all transmissions to and from the remote device are protected. This is particularly vital for transmissions that contain sensitive information, such as cardholder data.
  • Configuring your network to automatically disconnect remote access sessions after a set period of inactivity. This helps prevent idle, open connections from being used by cybercriminals to gain unauthorized access to your organization’s network.
  • Ensuring you have an up to date incident response plan based on accurate contact data for key personnel. You should have procedures in place for detecting and responding to potential data breaches, and make sure these procedures are calibrated for remote work environments.

If you are unsure if your new remote work policy is PCI compliant, please review the PCI compliance guidelines carefully or reach out to your MSSP for guidance and assistance.

Remaining NIST Compliant


NIST (the National Institute of Standards and Technology) guidelines on ensuring compliance for remote workers are covered in their special publication: 800-46 (Revision 2) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. They also created a companion guide (User’s Guide to Telework and Bring Your Own Device (BYOD) Security), which should be carefully reviewed by all remote workers.

You, and your employees, should review both documents carefully to help ensure your organization remains compliant. For additional information, you should also review NIST’s blog post on telesecurity basics, which provides a few helpful tips for both remote workers and the organizations that employ them.

There are a few things you should do to help ensure compliance and better safeguard your network and other digital assets:

  • Management should review their current policies regarding remote work carefully. Make sure your employees are clear on what company resources they are and are not permitted to access from their personal devices. For example, reading work emails may be permitted, but accessing sensitive files may not be. Make sure all employees are aware of these rules and are able to comply with them.
  • Take steps at an organizational level to protect communications from eavesdroppers. If employees are using Wi-Fi at home, make sure they have the tools and knowledge they need to set up secure networks. Make sure employees are using WPA2 or WPA3 security.
  • Make sure employees are using hard to guess passwords (section 5.1.1.1 of the NIST password guidelines are a useful resource for setting organizational password standards).
  • Consider providing users with VPNs.
  • Take steps to improve endpoint security at an organizational level and encourage employees to take similar steps regarding their personal devices.
  • Require all remote workers (especially those using their own devices) to enable basic security features such as PINs, fingerprints, or facial ID features. These steps are crucial for safeguarding devices that are lost or stolen. Make sure all PINs and passwords are hard to guess.
  • Make sure employees keep their software up to date on both their computers and mobile devices. Most devices provide options that allow them to check for and install updates automatically.
  • Make sure employees know who to contact if they encounter anything suspicious (such as spam), and ensure that all contact information for key personnel is up to date. Make sure employees understand how to identify suspicious behavior, and are encouraged to report everything, no matter how insignificant it may seem. When it comes to cybersecurity, it’s always better to be safe than sorry.

The way many of us work has changed dramatically over the past few weeks, causing many organizations to rapidly pivot to remote work. Making sure your organization takes steps to ensure continued compliance with both PCI and NIST guidelines helps ensure sensitive data remains secure.

If you have any questions about these guidelines or are not sure how to adapt your current cybersecurity posture to accommodate remote work, please speak to your MSSP for advice and guidance.

Post Categories

Related Posts