Maintaining PCI compliance can be complex – 特别是 when you consider the adaptations your business has made during the pandemic. As you implement hybrid work environments, these three tips can help you continue to stay compliant.
Every business has had to make its own adjustments and adaptations during the pandemic, 部署新系统, 流程, 以及解决众多挑战的技术. 这是许多公司最大的转变之一, 特别是 as it relates to payment card Industry (PCI) compliance, 是搬到a吗 远程工作 或在家办公(WFH)环境. Because the reliance on remote technology can change or expand the scope of the cardholder data environment, the scope of PCI compliance can change as well – and with hybrid in-office and 远程工作 business models becoming more prevalent, we can expect many of these scope changes to become permanent.
These tips can help companies take pandemic lessons learned and use them to help obtain or maintain PCI compliance moving forward:
1. Limit the scope of telephony to make the compliance process more manageable.
The PCI Security Standards Council’s “Information Supplement: Protecting Telephone-Based Payment Card Data”1 points out that 系统 that are used to accept cardholder data (CHD), 以及任何连接的系统, 是否在PCI评估范围内. 这意味着任何额外的或新的网络, 系统, or devices (including those for work-from-首页 employees) are considered in scope, 包括:
- VoIP architecture, including session border control (SBC) and private branch exchange devices
Here are a few common strategies for telephony scope reduction:
- Outsource telephony-based payment card functions to a third-party service provider, or halt the direct acceptance of payment cards via telephone.
- Physically segment the VoIP environment to keep all hardware in one segment, 把电话范围限制在这一部分.
- 抑制或掩码双音多频(DTMF), 通常被称为触控音, which uses the telephone voice frequency band and transmits a different tone for each associated digit.
- 本地, 硬件和相关德甲联赛竞猜的主机和管理, 流程, 和CHD流量从VoIP环境内部.
- 远程, 主机硬件和相关德甲联赛竞猜, 流程, and CHD traffic from the VoIP environment at a third-party location.
- Use “plain old telephone service” (traditional phone traffic) or out-of-band communication.