PCI DSS Compliance for Service Providers | A Growing Trend

PCI DSS compliance for service providers is growing at quite an astonishing rate, to say the least. One of the biggest contributors is that of data centers, co-location facilities, and other types of organizations providing managed services. In short, they are quickly being identified as “in scope” and in the loop in regards to storing, processing or transmitting cardholder data. Compliance for many of these service providers is not as explicit as it is for merchants; this due in large part to the unique service offerings provided by each respective service provider themselves.

Listed below are some common examples of Service Providers that are now being requested to become Payment Card Industry Data Security Standards (PCI DSS) compliant:

Transaction Processors
Payment Gateways
Web Hosting companies
Data Centers
Managed Service providers.

And the major payment brands have varying terms for what they actually call a service provider. Some are called a “Third Party Processor”, a “Data Storage Entity”, or a “Payment Service Provider”.

Two things to remember: First, compliance for service providers will continue to grow, and rapidly. Second, storing, processing, or transmitting data in any type of capacity will immediately place you under the category of a merchant or a service provider.

Visit the official PCI DSS Resource Guide to learn more about PCI compliance.

PCI DSS | SAS 70 | Finding Resources to Learn about Compliance

PCI DSS and SAS 70 Type I and Type II audits are a mainstay in today’s regulatory arena. As such, i’m often asked what are some of the best resources available to learn about the Payment Card Industry Data Security Standards (PCI DSS) initiative and the SAS 70 audit requirements.

PCI DSS
pcisecuritystandards is the official site for PCI DSS compliance. It was put forth by the Payment Card Industry Security Standards Council, commonly known as the PCI SSC. The major payment brands have effectively endorsed the PCI DSS standards, thus you can learn all you need to know about PCI DSS by visiting their site. The left column gives you quick links to all the important PCI DSS information. Their are also some very helpful forums such as pcianswers and pcidssguru. These sites are managed by industry veterans in the Payments Industry and they give you unbiased and straight answers to any questions you may have.

SAS 70
The official AICPA website offers little in the way of education on SAS 70 audits. They do sell a book on SAS 70, but it is primarily geared towards auditors and is written in a technical manner. The other solution is to visit the Official SAS 70 Resource Guide, where you can watch training videos and learn all aspects of SAS 70 Type I and Type II audits.

PCI DSS and Data Centers | Tips for Compliance

Payment Card Industry Data Security Standards (PCI DSS) compliance for data centers is here to stay, thus your facility should be prepared to undergo the PCI DSS assessment in a cost-effective and efficient manner. Here are some tips for PCI DSS compliance for data centers.

1. PCI DSS compliance is NOT just limited to Appendix A of the PCI DSS requirements.
2. Conduct a PCI DSS Readiness Assessment for truly understanding the scope of the engagement for compliance.
3. Make sure you have policy and procedural documentation in place as this is a very large and time consuming effort for any organization, especially data centers.
4. Understand the requirements for quarterly scanning and penetration testing and what is in scope for the PCI DSS assessment.
5. Correctly SCOPE the assessment. This sounds like an easy process, but it can become quite complex with all the products and services (managed services) that data centers offer for businesses today.
6. Understand the initial “roadblocks” which many service providers run into, such as having to implement two-factor authentication for remote access into the production environment along with having password requirements for all system components that fall within the scope of the actual PCI DSS assessment. (These are just two of the many roadblocks that organizations encounter).
7. Find a competent, well-qualified QSA to assist with all your compliance needs.

Visit the official PCI DSS Resource Guide to learn about PCI DSS compliance.

SAS 70 Audits for Data Centers | Why the Trend will Continue

SAS 70 audits have quickly become a high priority for data centers, co-location entities and managed service providers as of late. And there are plenty of reasons why this trend will continue go grow. The number of organizations that have buried the client server architecture is growing every day, resulting in a huge surge for data centers. In fact, most quality data centers in the United States are having little or no challenges in filling up their data center floor space. From traditional ping, power and pipe to fully managed services, data centers are becoming a necessity for most businesses today. As a result of this, their respective compliance requirements will continue to expand also. From SAS 70 to PCI DSS, just to name a few, data centers are being hit hard with the regulatory compliance bug.

Add to the fact that many data centers are now physically housing sensitive health care and financial information for many of their clients. As such, client requests for the security, confidentiality and integrity of this data are being validated via SAS 70 Type II audits. This “trend” if you want to call it that, will become a mandatory requirement for any data center seeking to grow and prosper in the coming years.

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits.

GLBA and Data Centers | Tips for Compliance

GLBA Privacy Rule
Protecting the privacy of consumer information held by “financial institutions” and other third party vendors and service providers that provide “support services” to these “financial institutions” is at the heart of the financial privacy provisions of the Gramm-Leach-Bliley Financial Modernization Act of 1999. The GLB Act requires companies to give consumers privacy notices that explain the institutions’ information-sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.

The GLB Act applies to “financial institutions” and other third party vendors and service providers; companies that offer and support financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to “financial institutions” that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities. Among the institutions that fall under FTC jurisdiction for purposes of the GLB Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC’s regulation applies only to companies that are “significantly engaged” in such financial activities, such as DATA CENTERS.

The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.

Consumers and Customers
A company’s obligations under the GLB Act depend on whether the company has consumers or customers who obtain its services. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution. Generally, if the relationship between the financial institution and the individual is significant and/or long-term, the individual is a customer of the institution. For example, a person who gets a mortgage from a lender or hires a broker to get a personal loan is considered a customer of the lender or the broker, while a person who uses a check-cashing service is a consumer of that service.

Thus, in short data centers may very well be called upon to become GLBA compliant via an audit or assessment process. My advice, find a competent SAS 70 auditor who can help incorporate GLBA tests into a SAS 70 or find a competent GLBA auditor.

HIPAA Security Rule | Another area for Data Center Compliance

As with the Privacy Rule, the Security Rule is also an important provision that data centers should be compliant with.

Security Rule: The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It essentially identifies the three types of security safeguards required for compliance:

• Administrative
• Physical
• Technical

EMR: Regarding Electronic Medical Records, the HIPAA Privacy Rule and Security Rule provisions essentially account for the safekeeping of EMR’s. Thus, a HIPAA | EMR audit conducted in accordance with the HIPAA Privacy Rule and Security rule would test the safeguards of EMR’s, essentially including them in the scope of the audit.

And with the growth of data centers, co-location facilities, and other managed services entities, being compliant with HIPAA would be a smart move. Any organization that is physically housed in any data center would arguably require that very data center to be HIPAA compliant. Find a competent, well-skilled HIPAA auditor to assist you in this endeavor.

HIPAA Privacy Rule | Attention Data Centers | Are you HIPAA Compliant?

First it was SAS 70, then PCI, now HIPAA is fast becoming a requirement for data centers. Here’s what you need to know about the HIPAA Privacy Rule.

An electronic medical record (EMR) is usually a computerized legal medical record created in an organization in which the health information system allows storage, retrieval and manipulation of these respective records.

Electronic medical records, similar to that of hard copy medical records, must be kept in unaltered form and authenticated by the creator. Under data protection legislation, such as HIPAA, responsibility for patient records (irrespective of the form they are kept in) is always on the creator along with one of many custodians of the records, usually a health care practice, facility, or entity, such as DATA CENTERS.

Privacy Rule: The HIPAA Privacy Rule regulates the use and disclosure of certain information held by “covered entities”, which includes health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions. It establishes regulations for the use and disclosure of Protected Health Information (PHI).
Although HIPAA was enacted in 1996, the enforcement of the Privacy Rule began in 2003. The Privacy Rule mandates the following:

• Regulates the use and disclosure of protected health information by health plans, health care clearinghouses, and health care providers who transmit financial and administrative transactions electronically.
• Establishes a set of basic consumer protections
• Permits any person to file an administrative complaint for violations
• Authorizes the imposition of civil or criminal penalties.

If your data center needs to be compliant with HIPAA, then find a competent auditor to assist you.

HIPAA Compliance for Data Centers | The How and Why

HIPAA compliance for data centers is fast becoming a hot topic in regulatory compliance. It first started with Statement on Auditing Standards No. 70 (SAS 70), it is now moving onto the Payment Card Industry Data Security Standards (PCI DSS) provisions, and how the Health Information Portability and Accountability Act (HIPAA) mandates may very well be next on the horizon.

In short, it is a string of compliance requirements that has and will continue to be had for data centers, co-location, and managed service entities. And why? Because these types of businesses are at the forefront of virtualization, cloud computing, hybrid clouds, software as a service (SaaS) platforms

So, if a data center undertakes a HIPAA assessment or audit, are they HIPAA compliant, do they get a HIPAA certificate, etc? The best way to answer that is an accounting firm would undertake an Agreed Upon Procedure (AUP) audit an the audit itself would test the requirements as stated in the HIPAA provisions. You would then end up with a data center that is compliant with these very provisions.

In subsequent blogs, i’ll discuss the scope of a HIPAA assessment/audit for a data center.

PCI DSS for DATA CENTERS | It’s only going to become MORE of a Requirement

I attended a recent compliance conference for data centers and the phrase that kept coming up was PCI DSS. That’s right, the Payment Card Industry Data Security Standards, simply known as PCI DSS to millions, is spreading like a virus throughout the business community. Merchants were the first set of businesses to be hit with the compliance mandate, quickly followed by “service providers” that also “process, store, and transmit” cardholder data or transaction data.

Data centers, co-locations, and managed service entities are now quickly getting up to speed with PCI DSS compliance. These types of businesses will fall under the realm of a “service provider”, thus most will more than likely “have to” go through an actual on-site PCI DSS assessment by a Qualified Security Assessor, known as a QSA. The real big news about PCI DSS and data centers is not so much that they are having to become compliant, but what truly is the “scope” of the assessment. I’ll cover that in subsequent blogs, but for now, just be aware of the growing importance of PCI DSS compliance for data centers, co-location, and managed service entities.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

SAS 70 Training Videos | The Best Way to Learn about Type I and Type II Audits

SAS 70 training videos are simply the best way to truly gain an understanding of the inner workings on Statement on Auditing Standards No. 70. As an auditor, i’ve been asked many times on this post and others if content can be developed to gain a better understanding of how the Type I and Type II audit process begins and ends. Well, watch the ten (10) SAS 70 training videos and you’ll quickly get up to speed on all you need to know about Type I and Type II audits. Listed below are the topics of each of the ten (10) videos.

1. Introduction to the SAS 70 Auditing Standard

2. SAS 70 Type I Audits

3. SAS 70 Type II Audits

4. SAS 70 & Audit Scope

5. SAS 70 Audit Cost & Pricing Factors

6. SAS 70 Readiness Assessment and Questionnaires

7. SAS 70 Audit Planning and Audit Fieldwork Activities

8. SAS 70 Roadmap to Compliance

9. Frequently Asked Questions

10. Concluding Thoughts on SAS 70 Audits

Visit the official SAS 70 Resource Guide to learn more about SAS 70 Type I and Type II audits and to also view the SAS 70 Training Videos.