Allowing employees to work from home has become more common, especially since the Covid-19 pandemic started in 2020. However, if your employees are processing billing payments from home, using a virtual terminal, how can your business ensure that these payments are truly safe?
This is a topic of interest for those in typically non-retail industries such as medical, dental, service industry, and funeral homes, where card-not-present payments are common (i.e. payments are typically taken over the phone).
For example, a medical company has 13 billing reps that are all logged into a virtual terminal to process payments – now working from home, 13 separate internet networks rather than a single network at their shared office. The security of operations here could be drastically compromised.
If this situation sounds similar to yours currently, whether you are a supervisor or employee, be sure to consider the following recommendations.
Are home based employees following the same PCI compliance standards as they would in the office?
PCI compliance is an industry-wide measure to protect cardholder data. It’s a self-governing board that sets guidelines for safety protocols when processing a card. The standards are centered around the following goals:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
(Full document can be found here.)
You can see that some of these goals are automatically at a disadvantage when a representative is working from home, such as #5 above: monitoring and testing networks.
Are they writing down cardholder info if they take a payment over the phone rather than entering it directly into a virtual terminal?
While it can be convenient to store a client’s payment information like this for future use, there are several reasons why this is a terrible and risky habit. According to PCI standards, all personnel should be “aware that any unauthorized copying, moving, sharing, or storing of payment card data is prohibited.”
Any number of situations could occur where the data gets into the wrong hands, physically or electronically via hacking or otherwise, could give rise to unnecessary legal trouble for you and your business. Sensitive data such as credit card information should never stored either on paper or on an electronic copy anywhere other than a virtual terminal that meets the PCI compliance standards.
Is their home network secured through a VPN?
According to top anti-virus software producer Norton in an article on their website, VPNs “use encryption to scramble data when it’s sent over a Wi-Fi network. Encryption makes the data unreadable.” If their internet network is not secured through a VPN, it is more likely that this private information will be subject to theft.
It is certainly possible that many companies fail to consider these crucial security details when sending employees, especially those who work directly with handling client billing, to work from home. So, what can companies do to make sure their home based employees are protecting cardholder data?
Some checks you can make to ensure safety of all remote transactions:
- Ensure the employee is accessing the terminal from a secure network, like a VPN, and all security software is installed properly and up-to-date.
- Provide or approve of the hardware devices that are being used to make phone calls and log into the virtual terminal.
- Implement the use of “a multi-factor authentication process when connecting to the telephone environment or to any systems which process [cardholder data].“
- Refer to the document linked here for more information regarding over-the-phone payments.
The bottom line here is to take the recommendations of the PCI Security Standards Council when considering actions to take to secure your clients’ sensitive information. Their website is an excellent resource for information and relevant training on this subject.
If you would like help setting up your at-home work environment for maximum safety, please reach out to us and we’d be happy to discuss it with you.