April 6, 2020
As of early April, hundreds of millions of workers around the world are affected by “stay-at-home” or “station-in-place” orders issued by governments in response to the COVID-19 pandemic. To cope, transaction processors are shifting work out of their high-security delivery centers and into the spare bedrooms and home offices of their personnel. That shift creates security challenges that have CISOs’ heads spinning. We previously wrote about a broad range of issues to consider in transitioning to an emergency work-from-home (WFH) model: COVID-19: Key Considerations in Moving Your BPO to WFH. This alert drills down on the special challenges created when WFH affects payment cardholder data that is subject to the Payment Card Industry’s Data Security Standard (PCI DSS).
The major card brands require use of PCI DSS to manage security in their endlessly complex global payments systems. PCI DSS compliance is a condition to participation in these systems and requires processors of card account data to implement a range of specialized security controls and have them verified by trusted third parties. For merchants and their banks, failing to maintain compliance can be catastrophic, resulting in significant fines or loss of the ability to process card transactions—a commercial death sentence. The compliance risks are heightened when account data handling is outsourced to third-party service providers, such as contact center operators and e-commerce providers. We have previously addressed the basics of contracting for third-party PCI DSS compliance under earlier versions of the standard (see, Contracting for PCI DSS Compliance in the Cloud) and the fundamental rule remains the same: you are responsible for the security of account data in the hands of your service providers and your contracts must pass along that responsibility.
The pandemic, however, is changing the game. It is challenging the security controls built by merchants and service providers to assure PCI DSS compliance. Obviously, the security of a Tier 4 data center with a hardened network backed by a raft of carefully enforced policies and procedures cannot be matched by employees using their personal devices to log in to customer systems using less secure home or public WiFi while their quarantined roommates look over their shoulders. We understand that some service providers are forcing the issue—offering to move to WFH models, but demanding relief from contractual security obligations. To help navigate the transition, the PCI SSC has offered guidance about issues raised by WFH and examples of compliant security controls, which can be found at the PCI SSC’s dedicated coronavirus webpage: PCI SSC Coronavirus (COVID-19), and in their blog: PCI Perspectives COVID-19. Customers also will need to consider their own contract terms and unique fact patterns as they struggle with the balance between securing their infrastructure and keeping the business running. Here are a few considerations for counsel:
Our experience over the past few weeks tells us that, though the pressure to act quickly is intense, there is nearly always time for a thoughtful approach that looks beyond the current crisis.