Privacy & Information Security Law Blog

As of early April, hundreds of millions of workers around the world have been affected by “stay-at-home” or “station-in-place” orders issued by governments in response to the COVID-19 pandemic. To cope, transaction processors are shifting work out of their high-security delivery centers and into the spare bedrooms and home offices of their personnel. That shift creates security challenges that have chief information security officers’ (“CISOs’”) heads spinning. Specifically, special challenges are created when work-from-home (“WFH”) orders affect payment cardholder data that is subject to the Payment Card Industry’s Data Security Standard (“PCI DSS”).

The major card brands require use of PCI DSS to manage security in their endlessly complex global payments systems. PCI DSS compliance is a condition to participation in these systems and requires processors of card account data to implement a range of specialized security controls and have them verified by trusted third parties. For merchants and their banks, failing to maintain compliance can be catastrophic, resulting in significant fines or loss of the ability to process card transactions—a commercial death sentence. The compliance risks are heightened when account data handling is outsourced to third-party service providers, such as contact center operators and e-commerce providers. The fundamental rule remains the same: you are responsible for the security of account data in the hands of your service providers and your contracts must pass along that responsibility.

The pandemic, however, is changing the game. It is challenging the security controls built by merchants and service providers to assure PCI DSS compliance. Obviously, the security of a Tier 4 data center with a hardened network backed by a raft of carefully enforced policies and procedures cannot be matched by employees using their personal devices to log in to customer systems using less secure home or public WiFi while their quarantined roommates look over their shoulders. Understandably, some service providers are forcing the issue—offering to move to WFH models, but demanding relief from contractual security obligations. To help navigate the transition, the PCI SSC has offered guidance about issues raised by WFH and examples of compliant security controls, which can be found at the PCI SSC’s dedicated coronavirus webpage and in their blog: PCI Perspectives COVID-19. Customers also will need to consider their own contract terms and unique fact patterns as they struggle with the balance between securing their infrastructure and keeping the business running.

Here are a few considerations for counsel:

• Blanket waivers likely are not appropriate. Not every contract term fails in this crisis and security adjustments should be limited to controls that simply cannot operate in a WFH environment.
• Where existing controls fail, compensating controls must be implemented to protect account data during the WFH event. Remember that exposing the infrastructure without adequate preparation may allow the injection of threats that could persist far beyond the life of the pandemic. Service providers can fairly be challenged to make an orderly transition.
• Insist on transparency into all the details of the WFH solution, reasonable recordkeeping and a right to audit. Showing your diligence is likely to be important if there are future questions.
• Map the path to return to normal operations. Agree on when the WFH solution will be unwound and how that transition will occur.

Our experience over the past few weeks tells us that, though the pressure to act quickly is intense, there is nearly always time for a thoughtful approach that looks beyond the current crisis.

Read a previous client alert on transitioning to an emergency WFH model: COVID-19: Key Considerations in Moving Your BPO to WFH.

Additionally, we addressed the basics of contracting for third-party PCI DSS compliance under earlier versions of the standard. Read Contracting for PCI DSS Compliance in the Cloud.