Guidance: How PCI DSS Requirements Apply to WFH Environments

PCI DSS requirements may apply to work-from-home (WFH) environments in different ways, depending on the entity’s business and security needs and how they have configured their infrastructure to support personnel working from home. Additionally, the job functions an individual is performing may also affect how PCI DSS applies—for example, whether an individual requires access to payment card account data or to the entity’s CDE, and the type of access required.

All entities are encouraged to provide practical security guidance and best practices for personnel to securely configure and manage their home networks.

PCI SSC recently launched “Work from Home Security Awareness Training”. This 45-minute online course teaches remote workers about common threats facing remote-based working environments and shares real-world insights on security best practices. Learn more about this training: New Training: Work from Home Security Awareness

Some entities may choose to support WFH environments as an extension of the entity’s network—for example, by providing and managing networking equipment for personnel to use while working from home and requiring that personnel secure their WFH network and environment in accordance with PCI DSS requirements. An entity might choose this option when the work being performed is determined to be of high risk, such as when personnel are performing sensitive security functions or accessing highly confidential information from their home network.

Alternatively, because home networks are usually outside of an entity’s ability to control and the security of home networks cannot be verified, WFH networks may be considered untrusted networks. In this scenario, the WFH network would be excluded from the entity’s PCI DSS scope, and the entity’s focus would be on defining secure processes for personnel to follow, securing the systems used by personnel when working at home, and ensuring a secure connection between those systems and the entity’s network.

Any system used to access account data or the entity’s CDE should be secured and managed in accordance with all applicable PCI DSS controls—for example, configured per the entity’s security configuration standards, and protected from untrusted networks with a firewall, up-to-date patches, and anti-malware protection. All connections from a home network to the entity’s CDE should be protected with multi-factor authentication, and strong cryptography used for all transmission of account data.

Personnel working from home are also expected to adhere to their organization’s security policies and procedures, including limiting access to cardholder data within their WFH environments—for example, using only company-authorized devices to access cardholder data, locking computer screens when stepping away from the computer, securing any storage of paper copies of cardholder data to prevent unauthorized access, and following the organization’s policies for securing network and computer equipment used at home for work purposes. The entity’s policies should also prohibit the unauthorized copying, moving, and storing of account data onto local hard drives and removable electronic media.
Entities should evaluate the additional risks associated with processing payment data in unsecured locations and implement controls accordingly. Personnel should be made aware of the risks related to remote working and what is required to maintain the ongoing security of systems, processes, and equipment supporting the secure access and processing of payment card data.

PCI SSC has several FAQs on payment security topics related to work from home environments. You can find these on the PCI SSC FAQ page. The questions include: