The way we work has changed considerably over the last several years. The pandemic accelerated remote work – and while some companies are shifting back towards in-person/office-based setups, the need for on-the-go operations – including secure transaction processing – is unlikely to ever go away. From WFH customer service representatives manning phone lines remotely, to sales reps making customer visits and selling their products at tradeshows, today’s payment landscape requires far more flexible solutions than ever before.
With that flexibility, however, comes added responsibility. No matter where or how payments are accepted, they must still be handled in a PCI-compliant manner. This is complicated enough in an office setting, where IT teams have full control over their entire environment; it becomes even trickier when potentially unsecured devices and environments come into play.
At Curbstone, we regularly work with merchants who are looking to embrace remote and mobile payment processing. Here’s what you need to know about PCI compliance for remote workers – and how you can keep transactions secure, even outside of your office.
Understanding PCI Compliance in a Remote Environment
The Payment Card Industry Data Security Standard (PCI DSS) applies to any business that stores, processes, or transmits cardholder data. All transactions must be compliant, regardless of where they take place. That means that every device, system, and person that interacts with card data – in or outside of a corporate office – must be appropriately secured.
Accommodating Multiple Types of Remote Payments
Remote doesn’t just mean “at home.” Off-site transactions may include:
- Customer visits – Field sales reps who initiate or close transactions at their customers’ offices
- Tradeshows or industry events – External teams who demo products and sign deals on the tradeshow floor
- Mobile service teams – Technicians or delivery drivers who take payment on completion/delivery of an order
In each of these scenarios, the tools and workflows your team uses directly impacts your PCI scope (the number of systems you need to include in your annual compliance reporting) as well as your overall level of risk.
Compliance Concerns for Remote Work Environments
Remote work introduces several PCI compliance risks, including:
- Unsecured Wi-Fi connections
- Personal devices used for business payments
- Lack of secure environments for verbal or written card data
- Storage or transmission of sensitive data over unapproved channels (including writing it down on paper to process when back in the office)
Even if your team isn’t handling high volumes of transactions remotely, any single instance of processing or storing card data can put you out of compliance.
Portable Payment Options for the Modern Workforce
To stay PCI-compliant while your team is on the go, you need a secure, portable transaction processing solution that eliminates the need for manual data handling. Potential options include:
1. Secure Hosted Payment Links
Send customers secure one-time payment links via email or text. Customers are routed to a hosted page where they can securely enter their payment info on their own time. When the data is passed directly from this page to the authorization network – bypassing your own devices and order entry system – it can keep your environment out of scope for PCI compliance.
2. Virtual Terminals with Tokenization
For customer service or billing reps working from home, a virtual terminal with tokenization lets them process transactions without viewing or storing cardholder data and without local device exposure.
3. Mobile Point-of-Sale Devices
When face-to-face transactions occur outside the office, mobile EMV terminals offer a secure way to collect payment. Look for options that encrypt data at the point of entry and avoid storing any sensitive information on the device itself.
4. Voice Payment Solutions
Remote workers accepting payments over the phone are automatically in scope for PCI if they take cardholder data directly from the customer. However, IVR technologies that let customers input their own card data from their own devices — without your employees hearing or recording it – can take them back out of scope. This can be a major improvement for remote order entry teams.
Compliance Is Not One-Size-Fits-All
There’s no universal answer for what constitutes PCI compliance in a remote or mobile environment. Your specific compliance obligations depend on your workflows, infrastructure, and the types of payments you accept.
It’s always best to consult with a PCI-certified Qualified Security Assessor (QSA) to evaluate your current practices and determine what changes may be required.
But no matter your use case, one thing is clear: you can’t rely on the same tools and habits you used in the office.
Ready to Make Remote Payments Faster and More Secure?
At Curbstone, we help mid-market businesses modernize their payment workflows—without compromising compliance. Whether your team is at home, on the road, or at a tradeshow, we’ll help you find the right combination of tools to streamline transactions and protect your customers’ data.
Let’s talk about how you can accept payments anytime, anywhere—securely.
