Over the last few weeks, our team of Qualified Security Assessor's (QSAs) has been responding to questions from our clients about how they can maintain PCI compliance while transitioning their contact centers (and associated business processes) to “work from home.” It's not just an important topic, but a very valid one given that most organizations today have never dealt with these kind of business challenges before; they truly are unprecedented. In many cases, just keeping the business operating is paramount and we recognize how many variables are at play today.
The number one question so far has been:
“How do we do this and stay compliant with PCI?”
In turn, we've been asking:
“Is this a permanent change, or short-term change that is related to business resumption?”
(Spoiler alert—the focus of all the recent conversations we have had on this topic was related to business resumption.)
The impact of COVID-19 on businesses across the country is significant, and the landscape is changing rapidly. Given these realities, our conversations have looked at the question with a short-term perspective.
Many companies work from a similar assumption that geographic separation of their contact centers between the west coast to the east coast is sufficient, or having services outsourced overseas provides redundancy for U.S. contact centers.
Clients providing contact center services face similar challenges. Performing business continuity planning in the face of a global, worst-case scenario was beyond the scope of most disaster recovery/business continuity exercises. Now these clients are asking us: “What recommendations can we make for addressing security and PCI DSS compliance if we need to migrate our contact center personnel to work from home?”
Online's PCI Steering Committee meets regularly. We are team of about a dozen QSAs that have been around since the early days of PCI who love talking about all things PCI. As we've been discussing the recent questions we've been getting from our clients, a few key thoughts have emerged that I wanted to share.
- First and foremost, our hats go off to our clients, and their teams of dedicated security, technical, compliance, and contact center personnel working to do the right thing by remaining as PCI compliant as possible, in the face of this daunting task.
- We want to remind everyone that entities are still responsible for all PCI DSS requirements, even as it relates to business resumption.
- And we want to propose two additional questions that are tightly related to business resumption:
How do you balance keeping the business operational while maintaining security and compliance?
- Is there a silver bullet to tackle this challenge?
The answer to these questions is found in a commonly overlooked yet sometimes poorly implemented areas of PCI, and how it is related to risk management:
"Which assets are we are trying to protect, what are the vulnerabilities, what is the threat?"
To implement a short term fix to your business resumption process you may want to incorporate a Risk-Based Approach. This is especially necessary given the time sensitive nature of a rapidly changing disaster recovery plan, and the goal of keeping your business running and secure.
Follow your documented risk assessment process and methodology as outlined in PCI DSS Requirement 12.2. As you transition your contact center personnel, take a pause to pull together the business owners, process owners, and technical and security personnel to review and document the risk as it relates to your specific business technologies and processes. Have those discussions around what you are trying to protect, where the data is located, what is stored, who has access to Personal Account Numbers (PAN), versus an agent inputting CHD and only taking orders
Pause, and think it through!
Go back to the basics regarding risk:
Identify critical assets, threats, and vulnerabilities, and document the results of your analysis. As a company, implement controls to address each risk, while balancing security and compliance with the needs of the business. For example:
What is the risk of forwarding calls over a cellular network to a contact center employee working from home?
PCI DSS indicates cellular networks are open public-networks, but what is the risk if our employees are dispersed across a large geographic area, and our PBX is forwarding those calls to a BYOD cell phone via the cellular network?
If the risks are required to keep the business staying afloat, it is not hard to guess what a company will choose to do. Still, a documented analysis in the aftermath of an executed Business Resumption Plan will be critical. In the event of a breach of cardholder data (even during business resumption), it will be up to the card brands to determine applicability of a fine. Do what you need to ensure the viability of your business, while balancing security and compliance. That is always the recommended course of action.
Again, we commend our clients that are doing the right thing by maintaining security and compliance as we work through challenges associated with COVID-19. We understand and agree that from a business perspective, first and foremost, it is all about keeping your business operational and staying in business!
We highly recommend you contact a Qualified Security Assessor to talk through specific concerns regarding your situation, but the bottom line is, you are still responsible to maintain PCI DSS compliance at all times. Don't hesitate to reach out to us. Our PCI team can be reached at firstname.lastname@example.org.
In closing, I will share some words relayed to me by a fellow QSA teammate:
"If we turn off the news, don’t listen to the worst-case forecasts, and take a deep breath, I think we know in our hearts the world will get through this, and we will come out the other side stronger in the long run."
At at a minimum, we can be sure our business resumption plan will improve…
For more information on business resumption, See FAQ # 1323. https://www.pcisecuritystandards.org/faqs
If you're interested in learning about alternative solutions for your Contact Center, please join us for our Conversational AI Webinar, scheduled for April 7.