Industrial organizations always attract attention from both cybercriminals and politically-motivated threat actors. Reflecting on the previous half year, we have seen among other findings, growth in the number of cyberespionage and malicious credential stealing campaigns. Their success has most likely been the main factor raising the ransomware threat to such [...]
PCI SSC does not require QSAs or ISAs to visit personnel private residences for any purpose, including the review of work-from-home (WFH) environments to validate PCI DSS requirements.
Entities should have policies and procedures implemented to provide assurance that applicable PCI DSS controls are in place for WFH personnel and that such personnel are aware of and adhering to the entity’s secure practices.
Assessors should work with the entity to understand the processes and controls the entity has implemented to secure connections from personnel in WFH environments.
This includes understanding how the entity ensures that account data is stored, processed, or transmitted from WFH environments in accordance with applicable PCI DSS requirements, and how the entity gains assurance that those controls continue to function effectively to protect the entity’s network and cardholder data.
Entities are not expected to conduct onsite assessments of work-from-home (WFH) environments, as home environments are not owned or controlled by the entity.
Entities are expected to have controls and processes in place governing how personnel working from home access payment card account data.
Controls and processes should also be implemented to provide assurance that payment card account data is protected in accordance with applicable security requirements.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.