Personal laptops

Plasticman

DullGreyGuy said:

If you are talking about VM software like Citrix then the machine you are working on is the virtual machine on the employers servers not the device physically in front of the user. 

For PCI compliance the device physically in front of the user is still in scope - it's considering things like making sure there isn't a keylogger on the device which applies whether you're using Citrix or not. 

400ixl

Plasticman said:

Data protection legislation and PCI (card processing compliance) are very different things. I managed PCI compliance as part of my job several years ago and and the computer used for processing was in scope for PCI compliance even if you were working on a VPN or via Citrix. Things might have changed since then of course but the guidance here implies not:

Protecting Payments While Working Remotely (pcisecuritystandards.org)

Ultimately though this is a risk for the employer and for them to manage as part of their PCI compliance. In this situation you should be aware of what you can or can't do because your training and policies should make it clear. If you haven't had any training then that's a good sign that the employer doesn't take it seriously. 

There is nothing in your link that means that the data can't be entered into an employee owned device provided the correct security checks have been put in place. And as this has always been the case I wasn't really surprised it doesn't.

You can have an employee go and but a PC in PCWorld, and provided you can ensure that it meets the corporate standards (i.e. scan that it has the correct OS version, anti virus etc) and connects over a secure network (VPN) then you can comply with PCI regulations.

Concerned that you were part of compliance if you did not understand what could be done. Now, it may be that where you worked did not have the technology to do the compliance enforcement, or did not want to do that. Then enforcing work devices only is fine, but that doesn't mean that it couldn't be done and can't be done today.

Whether the OP's employer is doing the required for compliance is an unknown without seeing exactly what is being done, but it does sound like it may not be.

Plasticman

400ixl said:

Plasticman said:

Data protection legislation and PCI (card processing compliance) are very different things. I managed PCI compliance as part of my job several years ago and and the computer used for processing was in scope for PCI compliance even if you were working on a VPN or via Citrix. Things might have changed since then of course but the guidance here implies not:

Protecting Payments While Working Remotely (pcisecuritystandards.org)

Ultimately though this is a risk for the employer and for them to manage as part of their PCI compliance. In this situation you should be aware of what you can or can't do because your training and policies should make it clear. If you haven't had any training then that's a good sign that the employer doesn't take it seriously. 

There is nothing in your link that means that the data can't be entered into an employee owned device provided the correct security checks have been put in place. And as this has always been the case I wasn't really surprised it doesn't.

You can have an employee go and but a PC in PCWorld, and provided you can ensure that it meets the corporate standards (i.e. scan that it has the correct OS version, anti virus etc) and connects over a secure network (VPN) then you can comply with PCI regulations.

Concerned that you were part of compliance if you did not understand what could be done. Now, it may be that where you worked did not have the technology to do the compliance enforcement, or did not want to do that. Then enforcing work devices only is fine, but that doesn't mean that it couldn't be done and can't be done today.

Whether the OP's employer is doing the required for compliance is an unknown without seeing exactly what is being done, but it does sound like it may not be.

You're right of course that it can be a personal device, although it's still in scope and needs to meet the required standards. My first post was our company policy which, of course, isn't relevant to the person who asked the question!