Essential compliance for a secure WFH model

As the pandemic continues to spread across the globe, many organizations are bound to maintain their operations from remote locations.

Government-mandated regulations and guidelines are binding the organizations from the movement of individuals.

Whereas, for a certain type of jobs and domains, these regulations pose no great problems. However, for some sectors, it is causing a danger of non-compliance with data protection regulations and relevant industry standards.

In this situation when most of the organizations are bound to continue their work from remote locations, the Payment Card Industry Data Security Standard (PCI DSS) is considered a hurdle to achieve compliance.

The standard has a set of 12 requirements and a total of 280+ sub-requirements that helps businesses to protect their people, process, and technologies from breaches, data theft of cardholder data (CHD), and frauds.

The requirements include the need of implementing strong access control measures, protection of CHD, and maintain the InfoSec Policy.

In a recent survey by the Data Security Council of India (DSCI), it was found that 61% of the organizations in India lack structured cybersecurity training while working remotely, 50% of the cybersecurity professionals admitted that no cybersecurity training was provided by their organizations.

The question occurs here that as cybercrimes are significantly increasing specifically during the lockdown so, how the digital payment infrastructure can be protected from the compromise of user data?

Here are some of the best practices to prevent such cyber-attacks:

1. Reduce your unwanted Email traffic.
2. Install and maintain your basic security solution like antivirus, firewalls, and email filters to prevent known malicious IP addresses and domains.
3. Conduct training for your employees and users on email and browser security best practices.
4. Resisting the users not to click on the malicious links, visit any website directly, be cautious about the email attachments, and only install the approved applications.
5. More importantly updating regularly the security solution that blocks malicious intruders and alerts you from suspicious activities such as antivirus, firewalls, malware, and spyware detection software and regularly checks that the web browser and the security software have the latest security patches installed.
6. Use different devices for your personal use such as using social media and for your job. So, always separate your personal use devices from your work devices.
7. Follow password hygiene, change your passwords from time to time. Use a strong password having alphanumeric characters which should be hard to guess by any other person.
8. Use 2-factor authentication methods as many of the attacks rely on getting the passwords one way or another and requiring another form of IDs such as a security token will make it harder for hackers to falsify any account.

The Payment Card Industry Security Standard Council (PCI SSC) issued a supplement named “Protecting Telephone Based Payment Card Data” which advises organizations to ‘evaluate the additional risks associated with the processing of account data in an unsecured location and implement controls accordingly’. The supplement suggests controls to be in place while working from home on the basis of people, processes, and technologies.

Some of the best practices which can be used for the organizations which take card data from their customers on phone calls such as the BPOs-

1. Limit the data exposure

• Employees should only use the devices which are approved and provided by their organizations whether it is a laptop, desktop, removable devices, or phones.
  This can help the organization to control the systems and technologies that are being used to complete payment processing.
• Use of Data Leakage Prevention (DLP) measures to prevent sensitive data from misuse.
  It allows organizations to implement security policies to monitor and control any system when it is being used outside of the company network. These predefined policies help in blocking the credit card information from transferring through insecure exit points.

2. Use Drive encryptions

• While working from home an employee would need the work material at their home to perform his job and portable data storage devices such as external hard drives and USB sticks. Such devices can be easily lost or even be stolen.
• To prevent the data stored on these devices from falling into the hands of any wrong person, organizations need to ensure that the data which is downloaded onto them is in encrypted format only.

3. Use of IVR

• An automated Interactive Voice Response (IVR) payment system can be used to prevent a user’s card data from exposure to the agent.
• It is a technology where the user dials the primary account number (PAN) and the card validation code (CVV) using the keypad of their phone to complete any payment and the agent on the other side only hears the beep voice.
• The use of a perfectly designed IVR has many benefits such as the customer may feel safer while entering their card data on IVR instead of providing it to the agent.

4. Use Webcams

• Implementing physical security controls such as biometrics and CCTVs at an employee’s home is not possible. So, there is one way, in which the organization needs to remove the card data from the private home and remove the location from the scope as well.
• However, this can be difficult as the whole payment process has to be changed. So, a recommendation to resolve this is that to ask the agents to use the webcams while performing the payments.

5. Use of Customer Self Service Portal

• These are the collection of multiple functions that help the customer and are also accessible from the company’s website.
• While using a reliable and dedicated self-service portal an agent sends a link to the customer via email or SMS. After clicking on the link the customer is redirected to the self-service portal where he enters his card details to complete the payment.
• So, with the proper precautions in place, any organization can minimize the chances of data loss or breach. There are security awareness items that could be helpful for the employees to act safely with the organization’s vital information and resources.

Schedule a demo to improve the organization security posture : Talk to Our Delivery Head