Payment Card Industry Data Security Standard

PCI DSS Compliance and the Major Payment Brands | What you may NOT Know

Merchants and service providers seeking to become Payment Card Industry Data Security Standards (PCI DSS) compliant may not actually know that the five (5) major payment brand also have their own security risk management and compliance programs. However, rest assured that, by and large, these security risk management and compliance programs are essentially “encapsulated” into the overall PCI DSS framework for purposes of compliance.

Thus, with that said, here they are:

AMEX: Its the “American Express Data Security Operating Policy” (DSOP)
Discover: Its the “Discover Information Security Compliance” (DISC)
JCB: Its the “Data Security Program”
Mastercard: Its the “Site Data Protection” (SDP)
VISA: Its the “Cardholder Information Security Program” (CISP)

So, to learn more about these five requirements, simply “google” the respective programs and you’ll find some very interesting (and hopefully useful) information. These payment brand programs include tracking and enforcement provisions, penalties, fees and compliance deadlines along with other essential information.

To learn more about PCI DSS compliance, visit the official PCI Resource Guide.

HIPAA Compliance for Data Centers | The How and Why

HIPAA compliance for data centers is fast becoming a hot topic in regulatory compliance. It first started with Statement on Auditing Standards No. 70 (SAS 70), it is now moving onto the Payment Card Industry Data Security Standards (PCI DSS) provisions, and how the Health Information Portability and Accountability Act (HIPAA) mandates may very well be next on the horizon.

In short, it is a string of compliance requirements that has and will continue to be had for data centers, co-location, and managed service entities. And why? Because these types of businesses are at the forefront of virtualization, cloud computing, hybrid clouds, software as a service (SaaS) platforms

So, if a data center undertakes a HIPAA assessment or audit, are they HIPAA compliant, do they get a HIPAA certificate, etc? The best way to answer that is an accounting firm would undertake an Agreed Upon Procedure (AUP) audit an the audit itself would test the requirements as stated in the HIPAA provisions. You would then end up with a data center that is compliant with these very provisions.

In subsequent blogs, i’ll discuss the scope of a HIPAA assessment/audit for a data center.

Payment Card Industry Data Security Standard | Learn about PCI DSS

The Payment Card Industry Data Security Standard, commonly known as PCI DSS, is a far reaching compliance initiative put forth in a collaborative fashion by the major payment brands (VISA, MasterCard, American Express, Discover, and JCB). These compliance initiatives are overseen and guided by the Payment Card Industry Security Standards Council (PCI SSC).

Thus, if you need to become PCI DSS compliant, there are a number of valuable resources to look at. But first and foremost, you need to understand what Level you fall into for PCI DSS compliance. For merchants, you can be categorized anywhere from a Level 1 to a Level 4. Level 1 audit require an on site PCI DSS assessment, while other Levels you can conduct a PCI DSS Self Assessment. These are general rules, however. Compelling business requirements would require some Level 2, 3, and 4 providers to possibly have an on site audit conducted. Also, there are varying requirements depending on your transaction level between the major payment brands. Find out what your transaction level is, first and foremost.

Additionally, there are also requirements for service providers, thus you will need to identify your transaction level also.