3 tips to maintain PCI compliance in hybrid work environments

Angie Hipsher-Williams, Jonathan Sharpe
3 tips to maintain PCI compliance in hybrid work environments

Maintaining PCI compliance can be complex – especially when you consider the adaptations your business has made during the pandemic. As you implement hybrid work environments, these three tips can help you continue to stay compliant.

Every business has had to make its own adjustments and adaptations during the pandemic, deploying new systems, processes, and technologies to address a multitude of challenges. One of the biggest shifts for many companies, especially as it relates to payment card Industry (PCI) compliance, was the move to a remote work or work-from-home (WFH) environment. Because the reliance on remote technology can change or expand the scope of the cardholder data environment, the scope of PCI compliance can change as well – and with hybrid in-office and remote work business models becoming more prevalent, we can expect many of these scope changes to become permanent. 

These tips can help companies take pandemic lessons learned and use them to help obtain or maintain PCI compliance moving forward: 

1. Limit the scope of telephony to make the compliance process more manageable. 

The PCI Security Standards Council’s “Information Supplement: Protecting Telephone-Based Payment Card Data”1 points out that systems that are used to accept cardholder data (CHD), as well as any connected systems, are considered in scope for PCI assessments. This means any additional or new networks, systems, or devices (including those for work-from-home employees) are considered in scope, including:

  • WFH laptops that support softphones 
  • Voice over internet protocol (VoIP) servers
  • Call recording systems
  • VoIP architecture, including session border control (SBC) and private branch exchange devices
  • Session initiation protocol and SBC
  • Network devices for segments these systems reside in 

Here are a few common strategies for telephony scope reduction:

  • Outsource telephony-based payment card functions to a third-party service provider, or halt the direct acceptance of payment cards via telephone.
  • Physically segment the VoIP environment to keep all hardware in one segment, and limit the telephony scope to that segment.
  • Suppress or mask dual-tone multifrequency (DTMF), familiarly known as touch tone, which uses the telephone voice frequency band and transmits a different tone for each associated digit.
    • On-premises, host and manage hardware and the associated services, processes, and CHD traffic from the VoIP environment in-house.
    • Off-premises, host hardware and the associated services, processes, and CHD traffic from the VoIP environment at a third-party location.
  • Use “plain old telephone service” (traditional phone traffic) or out-of-band communication.
Get even more tips from our team in our webinar “Back to Work: The Future of PCI.” 

2. Implement WFH compliance measures. 

Many companies continue to have at least a hybrid workforce and likely have additional workstations with remote employee laptops that can come into scope for PCI compliance. Because of this, these PCI requirements from PCI Data Security Standard, v3.2.12 might now be applicable (when in the past they were not):

  • Requirement 1.4 – Install personal firewall software or equivalent functionality on any portable computing devices.
  • Requirement 8.3 – Secure all individual non-console administrative access and all remote access to the card data environment (CDE) using multifactor authentication.

In one scope increase example, a business rolled out additional payment solution offerings for pickup, including curbside pickup. This drastically changed scope, bringing the entire organization’s network into PCI scope. Compounding this, IT was not aware of the additional PCI scope, so it was discovered mid-assessment. This resulted in PCI compliance issues, delays, and requests for Report on Compliance (ROC) and Attestation of Compliance (AOC) extension. To avoid these issues, companies should make sure they are aware of any payment process or associated technology changes as they relate to PCI scoping and requirements. 

3. Be prepared for scope adjustments when returning to the office or implementing a hybrid work environment. 

As companies retool their working model, whether completely in-office or, especially, for a hybrid work environment, these are some PCI requirements to consider:

  • Turn systems back on or add new systems to handle increased load following pandemic disruptions. These systems will need to be patched and scanned, as they could be out of date.
  • If supporting or CDE system components are added, it could be considered a significant change, and PCI requirements pertaining to significant changes would be applicable (6.4.6, 11.2, 11.3.1, 11.3.2).3
    • Even if these changes are temporary, they could still be determined to be significant changes depending on the timing of the ROC. A record of dates of change will be important to your independent assessor.

Remember that the need to maintain PCI compliance does not stop due to a new WFH or hybrid environment – but the scope of your compliance requirements may change. All requirements are still applicable and require compliance, but there were some changes to remote assessment procedures, so you’ll want to connect with your Qualified Security Assessor (QSA) to determine the options and requirements for on-site and remote assessments. 

1 Protecting Telephone-Based Payments Special Interest Group, “Information Supplement: Protecting Telephone-Based Payment Card Data,” PCI Security Standards Council, November 2018.
2 “Payment Card Industry (PCI) Data Security Standard, v3.2.1” PCI Security Standards Council, May 2018, https://www.pcisecuritystandards.org/document_library
3 Ibid.

Strengthen cardholder data security controls with our payment card industry services. 

Contact us

Angie Hipsher - Large
Angie Hipsher-Williams
Principal, IT Assurance Leader
Sharpe Jonathan
Jonathan Sharpe