Morris Manning & Martin, LLP

Protecting Payment Card Data During COVID-19


As businesses have shifted their operations to a remote work force, businesses are facing security concerns as payment card information is now being processed outside secure work facilities and into employee homes. In order to process payment card information, most banks and major credit cards require businesses to comply with Payment Card Industry Data Security Standards (PCI DSS). While the PCI DSS is voluntary and not mandated by federal or state law, there is no alternative for any business but to comply with the PCI DSS if they wish to utilize credit card payments.

PCI DSS was designed as a comprehensive list of best practice measures and processes for handling, processing, storing, and transmitting payment card data. The PCI DSS requirements apply to all businesses, regardless of the number or size of credit card transactions they process. The PCI Security Standards Council (PCI SSC) provides oversight on managing the PCI DSS, as well as educating the public on its requirements. Noncompliance with PCI DSS can result in a range of penalties from significant fines or worse to being prohibited from processing payment cards all together.

In response to COVID-19, the PCI SSC created a COVID-19 resource page on its website and uploaded resources and guidance reminding businesses of their PCI obligations. Despite this chaotic situation, PCI DSS still applies during this public health emergency and businesses still need to maintain security practices to protect credit card holder data.

In order to facilitate secure processing of payment card information, businesses need to focus on:

  1. fostering a culture of security with their employees;
  2. implementing effective security controls for payment processing over the phone; and
  3. limiting exposure to hackers by ensuring there are physical and technical safeguards in place.

Remote work guidance released by the PCI DSS on their COVID-19 resources page reminds businesses of their obligations and best practices. For processing payments remotely, the PCI SSC recommends businesses implement a security awareness program. The security awareness program consists of employee training on the business’s security policies and procedures that would be administered at the beginning of employment and at least annually to remind employees of their obligations. It is a best practice to require employees to sign an acknowledgement form that they have received the training. Securing systems and data located in home-worker environments can be challenging and difficult to enforce. Remote employees should be trained on the security risks and informed on how to securely maintain payment information from unauthorized use or exposure.

Businesses need to ensure there are security controls in place while employees are collecting and processing information remotely. Before an employee can connect to a business’s telephonic system, multi-factor authentication should be utilized. It is a best practice to restrict physical access to media containing payment card data, such as call or screen recordings, as well as networking and communications hardware. If an employee must write down payment information on paper, then employees should understand that this information is sensitive and should be stored in a secure location. It should be shredded once it is no longer needed.

Another way to minimize security risks is to require all employees use only company-issued devices that have firewalls and virus protection software already installed on the device. All remote desktops or devices should have the latest approved security patches installed and configured to prevent users from disabling security controls. Employees should be limited to transmitting payment information only over secure and encrypted channels (e.g. properly configured virtual private network or VPN).

Phishing emails more than quadrupled in March 2020 as hackers leveraged the outbreak to their advantage. As a result, all employees should be trained to be aware of potential phishing calls. Information Technology or Information Security teams should be prepared to identify rogue calls from people claiming to be remote users, and there should be a process for staff to confirm their identity when calling IT support remotely. Businesses should also ensure that incident response plans are up-to-date and include how to respond to incidents from a remote work environment. If an employee becomes aware of any potential security incident, they should immediately report such activity to the company’s IT department or appropriate party.