While India is in the throes of its battle with the deadly COVID-19, the payments industry has not been far behind in assessing its impact on the sector and taking necessary preventive actions. To this end, several banking and other financial institutions, including fintech players, have directed employees to work from home. However, with this directive comes the looming question of whether doing so is advisable given the sensitivity of the information involved.

The Payment Card Industry Security Standards Council (PCI SSC) - a global forum that develops data security standards and resources for safe payments worldwide, recently came out with guidance for protecting payment data and working securely while working from home. The PCI SSC has provided guidelines relating to people, processes and technology, while working remotely.

People

It has recognised employees experiencing working from home for the first time to be most vulnerable, given that they are most likely to be unfamiliar with policies and processes that would need to be adhered to in such situations. The PCI SSC has emphasised the necessity to have organisations deliver specific security awareness training which concentrates on data security policies and processes applicable while working remotely.  The PCI-SCC has further suggested that systems used by home-workers to process account data must be securely maintained and be made inaccessible to any third-party or unauthorized individual. It has recommended implementing a stringent and strong password policy, while also disallowing usage of shared passwords.

Process

The PCI-SSC has suggested use of a multi-factor authentication process when connecting to systems that process account data, restricted physical access to media containing payment data, and ensuring that any physical document that captures payment data is securely stored and destroyed securely after it has served its purpose. Further, it has advised that access should be restricted to only those individuals whose roles make it imperative for them to have access to sensitive information.

Technology

It has urged organisations to update their security processes to be adequately prepared to deal with threats arising as a consequence of working from remote environments. The PCI-SSC has recommended that employees working from home be mandated to use only company-approved secure hardware devices including laptops, desktops and mobile phones. Organisations have been requested to ensure that all systems have (a) personal firewalls, (b) latest version of the corporate virus-protection software and definition files, and (c) the latest approved security patches installed. Systems must also be configured such that  users are prohibited from disabling any security controls that may have previously been installed. One other measure suggested is to put in place mechanisms for automatically disconnecting systems accessed remotely after a period of inactivity, to avoid idle, open connections being accessed without authorisation.

Security Considerations – Onsite v. Offsite

PCI-SCC recognises that the measures to be implemented while working onsite versus an offsite scenario would involve different steps. They have, once again, drawn attention to the importance of providing adequate training to staff so that they can identify and be wary of phishing calls. Processes must be established for staff, including IT support personnel to verify their identity while reaching out to each other, remotely. Organisations are advised to undertake an evaluation exercise in order to ascertain the risks associated with remote-access and working from home, and suitably amend their processes and policies.

With the encouragement and support provided by the PCI-SSC to remote working, banks and financial  institutions are considering making 'work-from-home' a long term solution, even after the COVID-19 scare has passed. Doing so, would undoubtedly reduce costs incurred and potentially also mean better service being provided to customers. This said, leading players in the sector have recognised that the feasibility of implementing a remote working environment is yet untested and its success (or lack thereof) may only be assessable at the end of this 'pilot' period that has been forced upon them.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.