|
|
|
|
|
|
by mschuster91
1650 days ago
|
|
|
> PCI-DSS demands at least some control over employee laptops to ensure that certain secure configuration standards are met. How does PCI-DSS compliance work in European countries, with GDPR and actual employee rights with teeth and serious fines at play? |
|
|
PCI-DSS certified companies ( mostly based on my experience at the one I'm currently employed at in France and things I've heard) have agents on employee laptops, but there's an upfront disclaimer what it does and what data it collects ( close to none - it checks for encryption, password policy, antivirus and stuff like this, but no actual activity data is collected). In some cases work has to be done on a terminal server, so no actual PCI-DSS covered data hits the employee laptops.
And note, there was backlash against the agent being deployed, which was handled with full transparency - the scripts run by the agent are (internally) open source, there were assurances about privacy, etc. Considering the fines possible, and employee representation, employees are generally inclined to trust those assurances.