Posted by: Eric Hansen
“Being compliant” is a big buzz word as of late that really adds nothing to the company needing it. Chances are people will be able to tell you how they can make you compliant, but not be able to tell you why you should be. Granted, the flip side is that if you’re looking into compliance you should know why you want it done anyways, but still.
PCI and HIPAA compliance are probably some of the most common ones, both serving the purpose of credit card processing and medical records respectively. The main case for these is that more and more people are using plastic instead of paper to pay for things, and if you’re doing business online its virtually a necessity somewhere down the line. HIPAA, while part of me feels has seen its days as less and less people can afford to go to the doctors/medical professionals still holds a strong place in the government regulations (PCI isn’t governmental regulated).
I don’t know the fundamentals of HIPAA regulations (never really was concerned with it) but PCI is a tricky little fella. It has 4 classes/levels: A, B, C, D, which range from strictest – laziest. Most online merchants will fall between C & D and physical merchants will be A & B (simply due to the vast differences in how cards are handled). D, which is common for stores that are on shared hosting plans and do not actually store CC information is also the most common. A has the hardest checklist of items to pass, however. It goes not only into virtual security but also to physical as well.