If your business handles credit card and payment information, you’re responsible for keeping that cardholder data secured by obeying the Payment and Card Information Security Standard (PCI DSS) compliance requirements. But when your workforce is remote and your endpoints are unprotected, keeping that data safe is an unprecedented challenge facing today’s security teams.
As more employees & contractors work remotely, customer data is no longer privy only to the eyes of authorized employees. Company devices/endpoints are increasingly being shared with unauthorized users. Sometimes “innocently” — like giving your kid your company laptop to watch Netflix. And sometimes maliciously for monetary reasons. Regardless of the scenario, when unauthorized users access customer financial data, it violates PCI DSS compliance and can cause real damage to your security, reputation, and customer trust if sensitive data is exposed.
To help you navigate PCI DSS compliance and the unique security challenges of securing devices with a remote workforce, we’ve compiled a list of the top 5 frequently asked questions & answers. You’ll also learn why continuous authentication of endpoint devices is a crucial step in achieving your PCI DSS compliance goals and keeping cardholder data secured in remote environments.
Let’s dive in!
P.S. If you want to download the full Whitepaper and learn more about how continuous endpoint authentication helps you stay PCI DSS compliant, click here.
What is PCI DSS?
The Payment and Card Information Security Standard is a set of security regulations created by the major credit card brands. PCI DSS exists to help organizations store and properly handle customer payment information through a continuous compliance loop in which they assess, repair, and report how payment and card data is being handled at all times.
The standard is created and governed by the PCI DSS Council, an organization that was established in 2006 by American Express, Discover, JCB International, Mastercard, and Visa Inc. It follows a common-sense process to build on security best practices for all entities that store, process, or transmit cardholder data.
Although compliance assessments happen only periodically, it’s important to note that PCI DSS compliance is not a one-time or annual event, but rather a continuous process to achieve and maintain a level of defense against cyber threats aimed at stealing your consumers’ payment and card information.
To learn in more detail why credit card brands mandate compliance and what the risks for non-compliance are, read this PCI DSS Whitepaper.
Why is PCI DSS relevant for all businesses?
Cardholder data theft and breaches affect the payment card ecosystem as a whole. For customers, there is a huge personal fallout in terms of their data being exposed, their credit being negatively impacted, and them losing trust in merchants and financial institutions. For merchants and financial institutions alike, such breaches imply the loss of credibility and financial penalties, but could also mean a number of other daunting consequences.
Though PCI compliance is not mandated by the government, staying compliant is highly recommended and considered mandatory through court precedent. Precedence in such cases was established through a landmark case from 2015, known as the Federal Trade Commission vs Wyndham Worldwide Corporation, where PCI DSS was identified as the approved standard for the case, in favor of FTC.
Worldwide, companies that handle credit cards from the major card brands must follow the security standard. PCI DSS contributes to the security and protection of the entire payment card ecosystem. It lays forth requirements designed to guide merchants, service providers, and acquirers to cope with vulnerabilities and risks at all stages of data handling.
What changes has remote work brought to data security?
In the past, when your employees worked primarily on-premise and inside the office, your security practices differed greatly from today where more and more employees prefer to work remotely. But, something that hasn’t changed is that customer data continues to be accessed on company endpoints — regardless if the endpoint sits on one of your employees’ countertops, their couch, or behind the office desk.
Before work from home became popular, your security team was able to nearly constantly authenticate (and re-authenticate) the identity of your workforce throughout the day. Either by checking their ID badges, scanning key fobs to enter buildings, checking CCTV cameras inside the office, or by having usernames and passwords to access any company computers.
But when your contractors and employees work remotely and out-of-sight, you can’t know for sure who is actually using their computer, unless you can continuously authenticate the person using that device at all times.
Let’s say you have a login system in place and employees use usernames and passwords to access your systems securely. What happens to the security of those systems when that remote company endpoint is shared with unauthorized users — for example household members? If you don’t continuously know that your endpoints are in the right hands, how can you make sure that your customers’ payment and card information is secure?
How does continuous endpoint authentication help you achieve PCI DSS compliance requirements?
Working from home blurs the lines between work and life — both physically and technically. And, although not everyone is malicious, everyone is likely to share their company devices at some point with an unauthorized user. With remote work, devices that were previously dedicated to only handling customer information and drafting business reports are increasingly being used by multiple family members, roommates, and friends for personal tasks like entertainment, education, and social networking.
Due to this increase in device sharing when employees work remotely — regardless if employees share devices innocently, foolishly, or maliciously — periodic authentication of company endpoints is simply not enough. The best option for endpoint security is to adopt a zero trust philosophy. This would mean a constant check of all of your systems’ users’ access, even after they have authenticated with an ID and password at the front door.
Because data security remains the main point of PCI DSS compliance, managing access control to that data is vital in keeping it safe, especially when your devices are off-premise and out of sight. When continuous authentication solutions like TypingDNA ActiveLock are added to your company endpoints, the security app runs passively in the background — constantly verifying that only your authorized employees can access your company’s computers.
Download the full PCI DSS whitepaper below for more details on the types of device sharing that occur when your workforce is remote, as well as the key PCI DSS requirements you’ll achieve when adopting continuous endpoint authentication.
How does ActiveLock work and how does it help you stay compliant?
One example of continuous authentication technology is ActiveLock Continuous Endpoint Authentication from TypingDNA.
ActiveLock recognizes users by how they type, locking out any intruder or unauthorized user when they physically take over your employees’ computer.
Because it uses typing-based biometric authentication technology, ActiveLock is frictionless compared to other biometrics solutions such as fingerprint scanners or facial recognition software, which require employees to actively authenticate themselves many times throughout the day. ActiveLock was built as a frictionless continuous authentication solution from the get-go and doesn’t require investing in external hardware, long integration times, or user effort.
What this means is that unless the device is physically taken over by an unauthorized user, employee productivity will not be affected — but your endpoints will remain safe from being shared.
Read the whitepaper to learn why continuous endpoint authentication is critical to your workforce security
If your company handles customer card and payment information, compliance with the Payment and Card Industry Data Security Standard is something you must achieve to maintain your customer’s trust. The sooner, the better. Not only is this important for the sake of your customers’ privacy and safety, but also because with non-compliance you are at serious risk of having your right to accept certain card brands for customer payments revoked by the major card brands who govern PCI DSS. Not to mention the fines and monetary damages for non-compliance that follow a data breach.
Because sensitive data is out-of-sight on remote company devices you never actually know who has access to that data, as your devices can be easily shared by remote employees with other parties. To protect your customers’ payment information, and to lower the risk of non-compliance with the PCI DSS requirements, protecting remote endpoints from being shared becomes a priority.
Whether your PCI DSS compliance journey is just starting or you are already steps ahead, you must read our whitepaper to learn how adding continuous endpoint authentication with ActiveLock on your remote devices will keep sensitive data safe and ensure you meet PCI DSS requirements.