Crossbow Labs

PCI-DSS – Sustenance in Coronavirus (COVID19) Pandemic Conditions


Being a security professional, the term virus drives many adrenal glands to fight it out tooth and nail until its elimination. Well in these conditions, my fight is restricted to novice guidance on do’s and don’ts as learned and understood by me. Thanks to all medical and paramedical professionals who are risking their own lives to save several others.

Complying with PCI

In our topic – PCI, all of us are more than aware that compliance with the PCI-DSS v3.2.1 standard is a continuous and ongoing process under changing environments. The changing and dynamic environments are visualized in terms of risk scenarios and controls laid out to mitigate those risks (PCI Requirement 12.2 .a and 12.2.b). It is understood that pandemic conditions as prevalent today across the world, would have been one of the risk scenarios and adequate controls to counter the same would be have been prescribed and implemented. It is not the intent today to open up risk assessment reports and see its coverage and effectiveness. We should be looking at the larger picture without debating whether PCI requirement 12.2 relating to risk assessment is about enterprise-wide or not, does it need to cover the information security tenet ‘Availability’ and if yes to what extent.

The larger picture is of sustenance of PCI under such conditions when the availability of the human element in maintaining the controls from a specified secure location is in question.

There is no simple and easy answer to this. The approach would be to list down the PCI requirements/sub-requirements the meeting of which could be impacted under the existing conditions. Obviously, this will vary from industry to industry, companies within the industry, country to country, cities within a country and so on, meaning thereby there will not be a one list fitment.

One small merchant with only two POS terminals may not open his establishment for some time. In such a scenario, although PCI is a 365×7 exercise, he would still be compliant since he has eliminated any risks arising from a transaction perspective at least. It is assumed that the risk of break opening of the shop is anyway covered when he closes everyday Corona or not!

Challenges in Present Conditions

  1. Where it is a law that calls for complete lockdown/even restricted movement we all understand that the law will prevail upon the PCI requirements. In the present context, the word law should be of wide import to cover notifications/nay even guidance.
  2. Requirement 1.1.2 current network diagram: If work from home is permitted only under the existing conditions, the current network diagram would warrant a change and of course it has to be architected and implemented in a manner that the security of CHD is not affected. (when I say Req 1.1.2, we should not be looking in isolation since it has a bearing on various other related and connected operational requirements while 1.1.2 is a documentation requirement) There could be other requirements getting impacted like 1.1.6b/c,4.1a,4.2b, etc depending on the change in the work environment from the office to home or change in location or what else?
  3. Third, let us look at 1.4 a – It talks about portable computing devices. In many large companies especially in more controlled ITES and ODC sectors, laptops are not provided to employees because they work from office only, under normal circumstances. Under the present conditions if they use their home desktops. Ideally, this requirement should be addressed although it does not come under the definition of portable devices. Extending this it would be pertinent to add here in some countries the law prohibiting work from home in BPO’s has since been relaxed.
  4. Implementation of requirements 10.6.1 a and 10.6.1b could be a challenge to the extent the methods/ tools used, and limited automation used for monitoring involves the presence of human element at the specified location or a particular human only is required with no back up/succession. In such a scenario if it turns out to be impossible/life threatening my take would be to fall on requirement 6.2 and extend the same for 6.1 where a review is required periodically and based companies risk management policies.
  5. On the other side, a silver lining I would say would be, with visitors and onsite personnel entry banned in many establishments the requirements related to their monitoring may not apply for a temporary period.
  6. It would be essential to touch upon a requirement which under normal circumstances may not have been given that much credence. That will be the requirement related to background checks (Req 12.7). If this requirement was implemented in normal times in letter and spirit with robustness in good times, the shift in the work environment from the office to home should not be a great threat to the integrity and consequent misuse.

In summary, sustenance essentially should revolve around revised risk assessment, additional controls, compensating controls and documentation of exceptions to keep the security intended by the PCI standard in letter and spirit.

Well, I can’t cover requirement to requirement and case to case in this article, I, without prejudice to what all is stated above, would like to see an informal ceasefire between hackers and security professionals till the abatement of this pandemic.