德甲联赛竞猜-德甲联赛竞猜官网

德甲联赛竞猜-德甲联赛竞猜官网

3 tips to maintain PCI compliance in hybrid work environments

安吉Hipsher-Williams, 乔纳森·夏普
9/2/2021
3 tips to maintain PCI compliance in hybrid work environments

Maintaining PCI compliance can be complex – 特别是 when you consider the adaptations your business has made during the pandemic. As you implement hybrid work environments, these three tips can help you continue to stay compliant.

Every business has had to make its own adjustments and adaptations during the pandemic, 部署新系统, 流程, 以及解决众多挑战的技术. 这是许多公司最大的转变之一, 特别是 as it relates to payment card Industry (PCI) compliance, 是搬到a吗 远程工作 或在家办公(WFH)环境. Because the reliance on remote technology can change or expand the scope of the cardholder data environment, the scope of PCI compliance can change as well – and with hybrid in-office and 远程工作 business models becoming more prevalent, we can expect many of these scope changes to become permanent. 

These tips can help companies take pandemic lessons learned and use them to help obtain or maintain PCI compliance moving forward: 

1. Limit the scope of telephony to make the compliance process more manageable. 

The PCI Security Standards Council’s “Information Supplement: Protecting Telephone-Based Payment Card Data”1 points out that 系统 that are used to accept cardholder data (CHD), 以及任何连接的系统, 是否在PCI评估范围内. 这意味着任何额外的或新的网络, 系统, or devices (including those for work-from-首页 employees) are considered in scope, 包括:

  • 支持软电话的WFH笔记本电脑 
  • 网络语音协议(VoIP)德甲联赛竞猜器
  • 电话录音系统
  • VoIP architecture, including session border control (SBC) and private branch exchange devices
  • 会话发起协议和SBC
  • 这些系统所在网段的网络设备 

Here are a few common strategies for telephony scope reduction:

  • Outsource telephony-based payment card functions to a third-party service provider, or halt the direct acceptance of payment cards via telephone.
  • Physically segment the VoIP environment to keep all hardware in one segment, 把电话范围限制在这一部分.
  • 抑制或掩码双音多频(DTMF), 通常被称为触控音, which uses the telephone voice frequency band and transmits a different tone for each associated digit.
    • 本地, 硬件和相关德甲联赛竞猜的主机和管理, 流程, 和CHD流量从VoIP环境内部.
    • 远程, 主机硬件和相关德甲联赛竞猜, 流程, and CHD traffic from the VoIP environment at a third-party location.
  • Use “plain old telephone service” (traditional phone traffic) or out-of-band communication.
Get even more tips from our team in our webinar “Back to Work: The Future of PCI.” 

2. 执行WFH合规措施. 

Many companies continue to have at least a hybrid workforce and likely have additional workstations with remote employee laptops that can come into scope for PCI compliance. Because of this, these PCI requirements from PCI Data Security Standard, v3.2.12 might now be applicable (when in the past they were not):

  • 要求1.4 – Install personal firewall software or equivalent functionality on any portable computing devices.
  • 要求8.3 – Secure all individual non-console administrative access and all remote access to the card data environment (CDE) using multifactor authentication.

在一个范围内增加的例子, a business rolled out additional payment solution offerings for pickup, 包括路边小. This drastically changed scope, bringing the entire organization’s network into PCI scope. Compounding this, IT was not aware of the additional PCI scope, so it was discovered mid-assessment. 这导致了PCI依从性问题, 延迟, and requests for Report on Compliance (ROC) and Attestation of Compliance (AOC) extension. 为了避免这些问题, companies should make sure they are aware of any payment process or associated technology changes as they relate to PCI scoping and requirements. 

3. Be prepared for scope adjustments when returning to the office or implementing a hybrid work environment. 

因为公司重组了他们的工作模式, 不管是完全在职还是, 特别是, 混合工作环境, 以下是PCI需要考虑的一些要求:

  • Turn 系统 back on or add new 系统 to handle increased load following pandemic disruptions. These 系统 will need to be patched and scanned, as they could be out of date.
  • 如果增加了支持或CDE系统组件, 这可以被认为是一个重大的变化, and PCI requirements pertaining to significant changes would be applicable (6.4.6, 11.2, 11.3.1, 11.3.2).3
    • 即使这些变化是暂时的, they could still be determined to be significant changes depending on the timing of the ROC. A record of dates of change will be important to your independent assessor.

Remember that the need to maintain PCI compliance does not stop due to a new WFH or hybrid environment – but the scope of your compliance requirements may change. All requirements are still applicable and require compliance, but there were some changes to remote assessment procedures, so you’ll want to connect with your Qualified Security Assessor (QSA) to determine the options and requirements for on-site and remote assessments. 


1 Protecting Telephone-Based Payments Special Interest Group, “Information Supplement: Protecting Telephone-Based Payment Card Data,“PCI安全标准委员会, 2018年11月.
2 “Payment Card Industry (PCI) Data Security Standard, v3.2.1“PCI安全标准委员会, May 2018, http://www.pcisecuritystandards.org/document_library
3 同前.

Strengthen cardholder data security controls with our payment card industry services. 

德甲联赛竞猜

Angie Hipsher -大号
安吉Hipsher-Williams
本金, 它保证领袖
夏普乔纳森
乔纳森·夏普