Data protection is essential for today’s organizations, but with cybercrime on the rise and employees working from less-secure environments, information security has become more challenging than ever.
Clients also expect organizations to meet strict compliance standards, both in the office and at home. One of these is the Payment Card Industry Data Security Standard (PCI DSS), designed to ensure that companies can securely process, store, or transmit credit card information.
Without the correct PCI compliance measures in place, data breaches can result in fines of up to €20 million or 4% of your annual global turnover, whichever is greater. On top of that, payment brands can fine financial institutions for non-compliance, and financial institutions can withdraw the ability to accept card payments from non-compliant merchants.
Aside from the financial damage, non-compliant companies face significant long-term damage to their brand’s reputation. In the event of a data breach and stolen credit card information, customer loyalty drops rapidly and all trust goes out the window, taking years to rectify.
For many companies, a big part of the solution is to provide pre-configured corporate equipment to their employees, making it easier to maintain security and PCI compliance across their entire workforce. But what about companies that rely on employee-owned equipment to get the job done, otherwise known as BYOD (Bring Your Own Device)?
Considerations About BYOD Security
Looking at it more closely, the BYOD model essentially invites employees to introduce personal devices into corporate environments. In some industries, particularly the contact center and BPO space, companies would actively forbid agents from bringing mobile phones, laptops, tablets, or smart devices onto the operations floor.
Of course, COVID-19 changed all that. With much of the workforce now working from home, organizations and clients must consider BYOD a viable option, especially when the provision of corporate devices is out of the question.
BYOD has its benefits. It’s cost-effective, makes onboarding a more efficient process, and it’s much easier to scale up your workforce when there are no corporate devices to ship out. The main problem with BYOD is a lack of control. With employee devices, companies don’t have the same level of access as they do with corporate machines, so it’s more challenging to plug security vulnerabilities. On top of that, there’s a significant risk of disastrous data breaches, as employees have complete freedom to navigate to insecure websites or download malicious applications.
Thankfully, there are ways to reduce and even eliminate these risks, ensuring that any BYOD network can operate with full PCI compliance. So, unless you’re ready to cough up 20 million big ones, you’d better read on.
Start with a Security Awareness Program
One of the biggest reasons employees open the floodgates to cybercrime is that they’re frankly unaware of the dangers.
From day one, it’s essential to educate all personnel about internal security policies and the appropriate way to use computers for work purposes. At least once a year, ensure that your workforce is up-to-date on any changes to procedures, especially those related to work-at-home and BYOD.
Update Your Processes
It’s much easier to monitor workers in the office as they take over-the-phone card payments, but when you’re unable to keep watch, you need secure, up-to-date processes in place to prevent the worst from happening.
Remote BYOD employees should pass through robust multi-factor authentication processes when accessing any systems that deal with customer data, drastically reducing the risk of any unauthorized access. Likewise, a strict clean desk policy can ensure that employees don’t bring pens, paper, mobile phones, or other capturing devices into their workspace.
Provide the Latest and Greatest Technology
Although BYOD workers don’t use company-approved hardware, organizations can ensure they use secure, PCI-compliant software.
Companies should provide all BYOD employees with robust firewalls and virus protection, continuously updating them to the latest versions. Ideally, configure them in a way that prevents users from disabling them.
It’s also possible to implement virtual desktop infrastructure (VDI), enabling organizations to protect and manage sensitive applications from a central location. With VDI in place, companies can restrict employees access to specific tools and keep corporate data separate from the BYOD machine. However, poor connectivity or incompatible devices can limit the viability of VDI, so be sure to understand the minimum requirements for it to function.
Implement a Secure Workspace Environment
Like VDI, a secure workspace environment can turn a non-corporate or personal Windows device into a secure BYOD solution that facilitates PCI-compliant remote access.
These platforms provide a secure, PCI DSS-compliant workspace environment with endpoint lockdown security and application control. Some of them include built-in location awareness and enable dynamic permissions updates based on an endpoint's local network and centrally managed policies. Look for a solution with the tools to manage, troubleshoot, update, and scale your entire BYOD environment from a single console, like ThinScale’s Secure Remote Worker.
Common questions on BYOD and PCI DSS
With all this in mind, let's answer some of the most common questions we've seen around PCI DSS and BYOD.
Is PCI compliance possible with BYOD?
Yes, with solutions like Secure Remote Worker, BYOD endpoint environments can be considered compliant with PCI DSS standards.
What external factors outside of the device affect PCI compliance?
BYOD and remote working environments are more vulnerable to external factors like insecure or public networks, the introduction of malicious actors from external sources (USB, unsecure website, etc), and increased opportunity for unauthorized personnel to view or access company data.
Can you have PCI compliant remote working without VDI?
Yes, so long as the data is accessed from a secure device/session, is either encrypted or stored in an encrypted location on the device, and is inaccessible by unauthorized users.
Do remote endpoints need to be patched?
Yes, all endpoints must be up to date with current security patches, this is to ensure vulnerabilities are fixed as soon as they are discovered.
Remember that PCI compliance with BYOD requires more than one solution; it also takes a firm commitment from both the organization and its employees to adhere to specific practices and handle data responsibly.
That said, if your company is interested in adopting a secure workspace environment solution as part of a complete PCI compliance plan for BYOD, ThinScale can help with that.