HIPAA, The Health Insurance Portability and Accountability Act, has been with us for years now. Upon reading through the vast and cumbersome documentation, one quickly realizes that HIPAA has many moving parts, enough to make you truly gaze at amazement as to what the actual explicit intent is for compliance. In regards to the security provisions of HIPAA, The Department of Health and Human Services, 45 CFR Parts 160, 162, and 164, Health Insurance Reform: Security Standards; Final Rule, there are a number of broad based requirements for ensuring HIPAA compliance.
But that’s really where it ends, because unlike a SAS 70 Type II audit and a Payment Card Industry Data Security Standards (PCI DSS) assessment, compliance is, for the most part, not actively overseen. What does it really mean to be HIPAA compliant? What part of HIPAA do organizations need to be compliant with? What are the true penalties for non-compliance, if any?
HIPAA needs to take a more aggressive approach, possibly a revision of the law along with explicit rules for what compliance is and for what part of the HIPAA legislation. Only then will HIPAA really have the bite like SAS 70 or PCI DSS.
PCI DSS compliance has taken a lot of shots lately, much of it unfair. Sure, there have been a number of high profile data and security breaches, such as the recent compromise of 130 million payment (credit and debit) cards.
These stories create great front page news and to be fair, they need to be covered to report on the growing security issues facing businesses today. With that said, the Payment Card Industry Data Security Standards, commonly known as PCI DSS to many, has proven to be a highly effective and sustainable compliance initiative for protecting cardholder data. I’ve probably got some critics already by making such a bold statement, but keep in mind that the number of organizations that have successfully become compliant and have NOT suffered a data breach is very impressive indeed. Sure, the bad apples always cause the problems, making front page news and questioning the validity of PCI DSS. It’s hard in today’s society to have absolutes on almost any variable, compliance being one of them.
An ounce of prevention can go a long way, and that’s exactly what many merchants and service providers have done by implementing PCI DSS standards and becoming compliant.
Visit the official PCI DSS Resource Guide to learn more.
PCI DSS Compliance for merchants is a hot topic indeed as witnessed by the large and ever growing number of businesses having to comply with PCI DSS. And to be fair, the vast majority can “self-assess” for compliance by answering a series of questions from a specified “Self Assessment Questionnaire” (SAQ) document obtained at www.pcisecuritystandards.org.
But lurking beneath are a number of variables, issues and hot topics possibly resulting in many more merchants having to undertake an actual dreaded on-site PCI DSS assessment by a Qualified Security Assessor (QSA) instead of simply filling out a Self-Assessment Questionnaire.
For one, the Self Assessment Questionnaires are starting to become seen as nothing more than a check the box answer, with little or no efforts taken by the merchants to truly secure their cardholder data environment. Unfortunately, many merchants have come to symbolize the phrase “self assess” as a meaningless document which is nothing more than a burden to their businesses. Merchants beware, as the major payment brands, acquirers and other interested parties (i.e., state legislative bodies) are seeking to change this. MasterCard recently made changes to their Merchant level requirements, which to say the least, could potentially impact a large number of merchants. Add to the fact the payment processors, gateways and customers alike are now starting to ask more and more about PCI compliance from organizations they do business with.
If you want to learn more about PCI DSS compliance, visit the official PCI Resource Guide.
The trend of late has been Payment Card Industry (PCI) Data Security Standards (DSS) compliance, along with a continued emphasis on the well known SAS 70 auditing standard. And occasionally, calls for GLBA and HIPAA compliance come calling also. As an auditor for many years, I’m often asked to look into the crystal ball of compliance and give my prescient thoughts and answers.
First and foremost, the requirements for SAS 70 Type II audit and PCI DSS assessment compliance will continue to grow larger; larger in scope regarding the actual requirements and larger in the number of companies having to comply. Data breaches are occurring at a feverish pace, causing great unrest for all participants involved. And add to the notion of the continued importance of corporate governance, regulatory compliance and security, and it becomes quite evident that SAS 70 and PCI will play a critical role for many years.
Additionally, more and more states will start to adopt various provisions of the PCI DSS requirements, turning them into an actual codification of laws for their respective states. Minnesota became that first state with the MN Plastic Card Security Act, followed by Nevada and a host of other states who are seriously looking to an adoption of PCI into law.
As for GLBA and HIPAA, they will more than likely continue to “limp” along as they simply lack the regulatory “teeth” that SAS 70 and PCI have. This may change if the SEC and The Department of Health and Human Services give HIPAA and GLBA more explicit requirements on compliance, but this is highly doubtful.
SAS 70 audits and PCI DSS Assessments are on everybody’s radar screen today, or though it seems. Particularly, SAS 70 Type II Audits and Payment Card Industry Data Security Standards (PCI DSS) Level I assessments.
And why? Because many service organizations, merchants, and service providers are being asked to become compliant with either a SAS 70 audit, a PCI DSS Assessment or both, for purposes of today’s regulatory compliance initiatives. Take note, Nevada just passed provisions of PCI into law, joining Minnesota as another state that is taking security and privacy to a new level.
I’ve put together a comprehensive white paper on SAS 70 Type II audits and PCI DSS Level 1 assessments that is definitely good reading material if your organization has to become compliant with either of these.
SAS 70 for payroll companies is fast becoming a requirement in this industry. And why? Because payroll companies conduct critical and material outsourcing functions for many organizations in today’s business arena. What’s more, they have a responsibility to protect vital consumer information, such as social security numbers, dates of birth, federal EIN tax numbers, just to name a few.
Add to the notions of the high degree of risk in this industry, and it’s quite easy to see how payroll companies are being asked to become SAS 70 Type II compliant.
The scope of a SAS 70 audit for a payroll company will include a host of general controls along with specific business process operational controls that examine and test the payroll life cycle, from start to finish- that is, from how consumer information is obtained to the final issuance of hard checks or electronic direct deposit.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide, where a wealth of information can be obtained on both Type I and Type II audits.
PCI DSS Service Providers Levels for VISA are defined as the following:
Level 1: All VisaNet processors (member and non-member) and all payment gateways.
Level 2: Service Providers (agents) not in Level 1 that store, process, or transmit > 1 million accounts/transactions annually.
Level 3: Service Providers (agents) not in Level 1 that store, process, or transmit < 1 million accounts/transactions annually.
Additionally, these various “levels” have predefined requirements for PCI DSS compliance, which essentially call for the following:
* Annual onsite review by QSA
* Quarterly network scan by ASV
* Annual Self-Assessment Questionnaire
(Canada: SAQ required and must be reviewed by QSA)
In short, you will need to retain a Qualified Security Assessor (QSA) to help with PCI DSS compliance. A QSA will assist in guiding your organization through an actual on-site assessment.
PCI Merchant Level Requirements for VISA are stated as the following:
Level 1: Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Also, any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
Level 2: Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
The other payment brands (MasterCard, American Express, Discover Card, and JCB) also have their own requirements for merchants.
PCI DSS Compliance for Level 1 Merchants and Service Providers is mandatory. In short, if you are a Merchant or Service Provider and have been called upon to become Payment Card Industry Data Security Standards (PCI DSS) compliant, then an on-site assessment by a Qualified Security Assessor (QSA) is what you will need.
A QSA is simply an individual who has gone through the licensing to become an expert in PCI DSS compliance. This is somebody who has been awarded the designation by the Payment Card Industry Security Standards Council, known as the PCI SSC.
For more information about PCI DSS compliance and in hiring a QSA for all your Level 1 needs, visit the official PCI DSS Resource Guide.
And lastly, MasterCard has now strengthened their requirements to make Level 2 merchants also undertake an on-site PCI DSS assessment.
SAS 70 Audit and Compliance will soon be entering the financial services and financial sector in a much more in-depth manner in the coming years. Sure, SAS 70 audits have been widely used on asset accounting, hedge funds, trust establishments, but the push will be much further and deeper in the coming years. Thank Mr. Madoff and his ponzi schemes along with increased regulatory compliance from the Obama administration.
Currently, the United States Securities and Exchange Commission (SEC) is looking into having Registered Investment Advisers being required to have an annual “surprise audit” and/or an “internal control” audit. In short, the default without question will be Statement on Auditing Standards No. 70.
The Obama administration is also looking into many other avenues of regulatory compliance that may include various provisions of additional auditing and oversight. Thus again, SAS 70 Type II audits may very well become quite transparent and well-known in other financial sectors. Let’s wait and see what truly unfolds in the coming months.
Visit the official SAS 70 Resource Guide to learn more about Type I and Type II audits.