Posts Tagged ‘PCI Compliance’

Maintaining Regulatory Compliance

Posted on: April 23rd, 2020 by jiml | No Comments

A part of doing business is complying with regulations. Regulations come from various places, primarily governments but also from industries. The major credit card providers teamed up to create the Payment Card Industry Data Security Standards (PCI DSS) as an example of an industry-led regulation. On the government side there are many. Most of you are familiar with HIPAA to protect health information, and each state has its own laws on the books to protect consumer data now that Alabama joined the ranks in 2018. There are a myriad of other regulations out there making it difficult for the average business to keep up.

What is the process for maintaining compliance? The first step is to have someone within your organization responsible for compliance. Some organizations are large enough or in an industry that supports a full-time compliance manager. Many organizations do not have the means or need for this. This is typical in the SMB market. Those SMBs should still appoint someone to take the lead. Think about partnering with an expert to help guide you through the compliance process. If your appointed person or team does not have the time to stay current with the regulations, this will be key.

Step two is to understand which regulations your organization needs to comply with. Are credit cards processed and therefore should PCI DSS be complied with? Does your organization do work with the Federal government and need to comply with NIST 800-171 or perhaps the European Union and need to comply with GDPR? Do you know your state PII (Personally Identifiable Information) statute? Knowing exactly what your regulatory requirements are is a must. Not knowing the law is not an excuse for non-compliance. (if it were, I would never get a speeding ticket!)

Now that you have identified the regulations your organization needs to comply with, the process for compliance is the same regardless of the regulation. Assess-Mitigate-Maintain.

Assess: Evaluate where you are currently versus the regulation requirements. (Think gap analysis)

Mitigate: Address the short-comings or gaps to meet the standards of the regulation.

Maintain: Develop a plan to maintain compliance going forward.

You cannot be complaint without documentation. Colden Company has programs in place to help businesses with PCI Compliance, HIPAA and we also have a program to meet the NIST Cyber Security Framework (CSF) and provide the necessary documentation. NIST CSF is an excellent framework to follow since many state PII regulations are loosely based on that framework. If your organization does business in several states, following the NIST CSF is a great place to start for compliance. It will meet most states regulations and show that your organization is taking steps to willfully comply.

Would you like to discuss your specific requirements? Give Colden Company a call at (888) 600-4560 or email us at info@coldencompany.com and let our team of experts put you on a path to compliance.

Tweet

Top Ten Myths of PCI Compliance

Posted on: September 27th, 2017 by jiml | No Comments

Hackers WANT your credit card data. They WANT your customer’s credit card data. They will try hard to get it. They will NOT stop. These are unfortunate truths.

In 2006, MasterCard, Visa, JCB, American Express, and Discover established the PCI Security Standards Council, a 3rd party entity, to manage the Payment Card Industry security standards and to promote the standard’s implementation by all companies (i.e. merchants) that accept credit/debit cards including all:
Retail merchants: Any business that operates in a storefront location, where the customers’ debit and credit cards are physically swiped through the payment terminal.
Internet merchants: Any business being run online. It allows businesses to collect and process credit and debit card information from their e-commerce website.
MOTO (mail or telephone order) merchants: Any business that operates by taking payments via the telephone and/or direct mail

Even if you process one credit card per year, your business must be PCI compliant. If you process through a third party, that does not absolve your business from PCI compliance. Many businesses do not take this seriously….until a breach occurs. As many of you know already, the credit card companies and banks have made a concerted effort to shift liability for the massive amount of credit card fraud taking place from their business to yours. If your business is not using chip readers, you are at risk. If your business is not PCI compliant, you are at risk.

PCI Compliance is not solved through a single vendor or product. There are many requirements and some of them are business process related and some are technology related. Below is a list of the top ten myths surrounding PCI requirements from the PCI Security Standards Council.

Top Ten Myths of PCI Compliance

1. One product will make us compliant.
2. Outsourcing card processing makes us compliant.
3. PCI DDS compliance is an IT project.
4. PCI DSS will make us secure.
5. PCI DDS is unreasonable, requiring too much effort and expense.
6. PCI DDS require us to hire a Qualified Security Assessor.
7. We don’t take enough credit cards to necessitate compliance.
8. We completed a SAQ so we’re compliant.
9. PCI DDS makes us store card holder data.
10. PCI DDS is too hard.
Source: www.pcisecuritystandards.org

Is your business PCI compliant? Are you aware of the penalties for being out of compliance? Given the current data security climate, have you given this enough attention? If you answered “no” to any of the above questions, give Colden Company a call at (888) 600-4560 or email us, or visit us on Facebook or Twitter.