PCI SSC Shares Resources for Navigating Changing Payment Environments

By Lance J. Johnson

Greetings to our PCI SSC stakeholder community!

With 2021 half done, I wanted to take this opportunity to share with you what the PCI Security Standards Council (PCI SSC) is doing to assist the industry as we continue to navigate the changes brought on by the pandemic. The current phase is a hybrid of old and new, and defined by rapid changes including re-openings and continued, or returning, lockdowns.

At the beginning of the pandemic, PCI SSC shared a resource guide intended for small merchants on ways to protect payment card data in rapidly changing payment environments. During that time, as employees worked from home, many merchants were rapidly changing how they operated including moving to accept mobile, remote, e-commerce and even over-the-phone transactions. Now, as employees return to the office, and businesses begin to re-open, those payment environments are changing once again.

Data breaches and related attacks often happen because of vulnerabilities that are entirely preventable. We want to help small and medium businesses take simple steps to protect themselves and their customers’ payment card data. And so, over the course of the next eight weeks, we thought it was reasonable to highlight payment security basics for protecting against payment data theft.

Beginning next week, we will kick off a new Back-to-Basics blog series by sharing a payment data security best practice on topics such as keeping software patched and using strong passwords to ensuring firewalls are properly configured and choosing trusted partners. We want to be a resource for you. We hope you find this information valuable and will share with your employees and colleagues.

For those businesses that are continuing to work from home, we want to be a resource for you, too. It is estimated that 25-30% of the workforce will be working from home multiple days a week by the end of 2021. In the rush to set up remote work environments, it is possible that organizations and workers overlooked cybersecurity best practices. Recently, PCI SSC has developed a low cost 45-minute training to educate organizations and remote workers on the basics of working from home in a secure manner. To learn more about Work From Home Security Awareness, we encourage you to visit our blog and check out our training site to register.

Finally, for our assessor community, PCI SSC is currently working on expanding our existing Remote Assessment guidance into more detailed guidelines. These guidelines will provide consistent practices for assessors and their clients to follow when considering the use of remote assessments for validating environments, solutions, and products to PCI SSC standards. These new guidelines are intended to support greater flexibility for completing assessments where in person or onsite testing is not feasible and where remote assessments are supported by the compliance entity. Development of these guidelines incorporates feedback received from assessors and stakeholders about how they are approaching remote assessments today, the challenges faced, and the effectiveness of different methods to mitigate some of those challenges. We anticipate sharing this expanded guidance with you in early Q3 of this year.

I want to thank you for all the feedback you have shared with us as we continue to navigate the evolving pandemic and the concerns of the industry. We value your support and participation, and we hope you find our resources and new training courses helpful.