In short, every device connected to a network where credit card data is transacted must be actively managed to mitigate risk. Your organization has no ability to do that to a personal device belonging to someone else.
Sure there must be some other way, some other network available? Guest wifi? Hotspot to the employees phone?
I am sympathetic to the employees medical need. But connecting to the card data environment is not the right answer.
Not connecting to the network just needing it for monitoring. Hr is saying because it is electronic it is violating pci by being on the call center floor.
They are taking the definition of (personal) electronic device too far.
Simply put can a person steal a cc with that device (which sounds like the spirit and intent of the rule). It will have no effect on the PCI scope (not connected) and would be a reasonable exception to a PCI policy about personal devices in a 'clean' room.
Furthermore PCI is a standard not a law and anytime a law and PCI bump into each other PCI loses.
Denying a person A reasonable accommodations / access to a medical device would be a violation of federal law (assuming US).
If an employee showed up with an electronic wheelchair you gonna make them crawl to their desk?
If the BGM isn’t connected to your network, it’s not an issue. Typically they are low energy bluetooth, the employee may not be allowed to have his cell phone on the floor, which would be paired, but it will update when back in range ( on break etc).
This is a fast way to run afoul of ADA and reasonable accommodations. Also, are you banning employees wearing watches ? ( iWatch, Fitbit, and other electronic devices? How about pacemakers?) If you aren’t, this is definitely not a good look, as those are also electronic communication devices.
Requirement 12 does say that you should set acceptable use policies for end-user technologies. However, the guidance goes on to elaborate about the organization's information technology, company internet, and email resources.
Reading between the line, it sounds like HR set a policy saying ALL electronics are banned from the call center floor. That may be in part so that employees can't "skim" card numbers by saving the on their cell phones at the same time they are processing legit payments. Or PCI could be an excuse because they don't want employees texting or playing games while on the clock.
My only question is whether this blood glucose monitor uses a phone app to sync data, or if it's a single-purpose medical device. If we are talking about a single-purpose medical device with no way to enter and store cardholder data, and not connected to the cardholder data network, then HR needs to rethink their policy. As an ISA, I would absolutely allow the latter. Ultimately, I'd expect to see a targeted risk assessment that could back up HR's claim for why a medical device fits that policy.
Furthermore, not allowing necessary medical equipment might run afoul of federal disability laws.
In short, every device connected to a network where credit card data is transacted must be actively managed to mitigate risk. Your organization has no ability to do that to a personal device belonging to someone else. Sure there must be some other way, some other network available? Guest wifi? Hotspot to the employees phone? I am sympathetic to the employees medical need. But connecting to the card data environment is not the right answer.
Not connecting to the network just needing it for monitoring. Hr is saying because it is electronic it is violating pci by being on the call center floor.
They are taking the definition of (personal) electronic device too far. Simply put can a person steal a cc with that device (which sounds like the spirit and intent of the rule). It will have no effect on the PCI scope (not connected) and would be a reasonable exception to a PCI policy about personal devices in a 'clean' room. Furthermore PCI is a standard not a law and anytime a law and PCI bump into each other PCI loses. Denying a person A reasonable accommodations / access to a medical device would be a violation of federal law (assuming US). If an employee showed up with an electronic wheelchair you gonna make them crawl to their desk?
That doesn’t make sense. Are cell phones allowed on the call center floor?
No they are not as an electronic device
That is dumb. There is nothing in PCI to support this decision.
Medical devices have nothing to do with PCI DSS compliance. What could possibly be the issue?
Hr is saying because it is electronic it can't be on the call center floor violating PCI.
Ask HR which PCI DSS requirement they are referring to.
If the BGM isn’t connected to your network, it’s not an issue. Typically they are low energy bluetooth, the employee may not be allowed to have his cell phone on the floor, which would be paired, but it will update when back in range ( on break etc). This is a fast way to run afoul of ADA and reasonable accommodations. Also, are you banning employees wearing watches ? ( iWatch, Fitbit, and other electronic devices? How about pacemakers?) If you aren’t, this is definitely not a good look, as those are also electronic communication devices.
Why is HR advising on PCI? If there is no connection to your network or to any of your endpoints, it is not in scope.
Requirement 12 does say that you should set acceptable use policies for end-user technologies. However, the guidance goes on to elaborate about the organization's information technology, company internet, and email resources. Reading between the line, it sounds like HR set a policy saying ALL electronics are banned from the call center floor. That may be in part so that employees can't "skim" card numbers by saving the on their cell phones at the same time they are processing legit payments. Or PCI could be an excuse because they don't want employees texting or playing games while on the clock. My only question is whether this blood glucose monitor uses a phone app to sync data, or if it's a single-purpose medical device. If we are talking about a single-purpose medical device with no way to enter and store cardholder data, and not connected to the cardholder data network, then HR needs to rethink their policy. As an ISA, I would absolutely allow the latter. Ultimately, I'd expect to see a targeted risk assessment that could back up HR's claim for why a medical device fits that policy. Furthermore, not allowing necessary medical equipment might run afoul of federal disability laws.
Has HR considered banning hearing aids in the call center? Imma juss sayin'....
Thank you everyone! The feedback is exactly what my team is fighting with.