Securing payment card data during COVID-19 pandemic

Representative Image

The COVID-19 pandemic has altered the way we do business globally. With the quickly changing scenarios and a dynamic ecosystem, our reliance on technology has increased exponentially. Today, more and more of us are working remotely - conducting businesses online and transacting digitally - while unaware of the possibility that our payment data may be stored or processed in remote setups that could lack their usual security framework. In such a situation, protection of payment data becomes more important than ever.

Reportedly, cybercriminals have begun exploiting the unsettlement caused by COVID-19. Several global reports indicate that cyber criminals are capitalizing on the crisis to commit fraud and steal private and confidential information, including payment card data through phishing and social engineering schemes. CERT-In (The Indian Computer Emergency Response Team) and ReBIT (The Technology Arm of Reserve Bank of India) have recently issued warnings about online threats and scams.

In general times and during such situations, any business which transmits, processes and/or stores their customers payment card data, must be focused on ways to keep their customers payment card data secure. The PCI Data Security Standard (PCI DSS) provides a framework of security controls that when implemented and continuously monitored offers protection for payment card data before, during and after a purchase is completed.

According to the U.S. Secret Service, one of the most common online attacks during this time is phishing/social engineering attacks. Cyber criminals are exploiting the Coronavirus situation through a method of wide distribution of mass emails posing as legitimate medical and/or health organizations with important information about Coronavirus. Hackers use phishing and other social engineering methods to target organizations with legitimate-looking emails and social media messages that trick users into providing confidential data, such as credit card number, account number or passwords.

These attacks have been around for a while and are at the heart of some of the most serious cyberattacks that can put business and customers confidential information at risk. It is important to have our guard up when opening emails and engaging in social media. As more and more people work remotely due to the COVID-19 situation, everyone needs to be aware of how to best protect against phishing and social engineering attacks.

So how can we defend ourselves against phishing/social engineering attacks?

• Reduce unwanted email traffic
• Train employees and users on email and browser security best practices
• Use basic security tools that block malicious intruders and alert you to suspicious activity, including firewalls, anti-virus, malware and spyware detection software
• Separate personal-use devices from work devices
• Practice good password hygiene and use two-factor authentication

One of the best ways to mitigate that risk is to create and maintain a culture of security within the organization, which includes implementing a security-awareness program, reviewing security policies and procedures with all in-house and at-home/remote agents, evaluating additional risks associated with processing account data in unsecured locations and implement controls accordingly. All staff should be made fully aware of the risks related to remote or home-working and what should be required to maintain the ongoing security of systems, processes, and equipment supporting the processing of telephone-based payment card data.

Home workers should be required to ensure that any systems they use to process account data, and any account data to which they have access, is securely maintained and not accessible to any unauthorized individual. The physical environment within which an office worker or home worker is taking card payments over the telephone should be effectively monitored and access controlled:

• Ensure that at-home/remote workers use a multi-factor authentication process when connecting to the telephone environment or to any systems that process account data
• Restrict physical access to media containing payment card data, such as call or screen recordings, as well as networking/communications hardware
• If account data is ever written or printed on paper, ensure it is securely stored, then shredded when no longer needed
• If any part of the telephone environment is outsourced to a third-party service provider, both the entity and service provider should clearly understand their responsibilities for securing their respective systems, processes, and personnel, and document accordingly

By limiting exposure of payment data in our systems, we simplify scope and validation, reducing the chance of being a target for criminals. Businesses must stress upon the requirement of using company-approved hardware devices- e.g., mobile phones, telephone handsets, laptops, desktops, and systems. This is especially relevant to remote/at-home working, ensuring that the entity can maintain control of systems and technology supporting the processing of telephone-based payment card data

For the home/remote worker supported as an extension of the entity’s network, make sure that their environment (e.g. network and other technology) is secure in accordance with the PCI DSS requirements. Any implementation should be agreed to with the acquirer or payment card brand

Regardless of any global situation, security of payment card data and the entire payments ecosystem is critical to the continued growth and adoption of digital payments. The PCI Security Standards Council is dedicated to providing necessary guidance to the payments industry during these evolving circumstances related to COVID-19.