Taking Payments from home?
Due to the lock-down, are your staff processing payments at home?
Many office, helpdesks and call centre environments now have individuals working from home. If those individuals are accepting payments over the ‘phone, then you have some potential PCI-DSS and personal data protection challenges. However, there are some things you can do to minimise the risk and continue to meet PCI-DSS requirements.
If you are able to redirect callers to a web-site to make payments, then that is ideal as the payment information will never be in the home environment, but that may not always be feasible.
You might be taking Cardholder Not Present (CNP) payments using a physical terminal, connected to either a ‘phone line or home broadband. There isn’t great deal you can do, or need to do, about security of a dial-up terminal, but for an internet-based terminal the router should not allow remote support via the internet and should have the firewall switched on. If the router supports wi-fi, ensure the connection is encrypted using WPA2-PSK AES encryption and a strong password.
If the terminal prints paper vouchers, these should be stored securely – in a safe if you have one. Most terminals no longer print the full card number, but if yours does, you need to be especially careful in storing the vouchers. They should be destroyed by incineration or cross-cut shredder at the earliest opportunity.
Of course, you will have a limited number of physical terminals. If you have multiple people needing to process payments then a Virtual terminal such as RSM 2000’s CPTerminal may be the answer.
Even so, when using a virtual terminal, some precautions are required:
1. Ensure PCs are installed with anti-malware software that runs automatically and the user is unable to prevent the scans or amend the settings, and collate logs centrally.
2. PCs should have a locally installed firewall configured to block unauthorised traffic.
3. Users should not have the ability to install, remove, or reconfigure applications, access administrative functions, or use USB memory drives.
4. Ideally connect by cable to the router. If wi-fi has to be used, ensure it is encrypted using WPA2-PSK AES encryption and a strong password.
5. Make sure users know they are not to write down or retain sensitive information in any form; get them to acknowledge this.
6. PCs should have a password protected screensaver that activates automatically after a period of inactivity; users should lock PCs if left unattended.
If you would like further information on CPTerminal, please Contact Us.