Learning Center Home > Data Security > Compliance Mandates

Compliance Mandates

Data Security

The following information is a part of our free cybersecurity and compliance Academy course.

Free Data Security Education

Sign Up for Academy

Compliance Mandates Overview


The type of data your company handles will determine which compliance regulation you need to follow. 

For example:

  • If you handle credit card data, you need to follow the PCI DSS,

  • If you deal with healthcare information, you need HIPAA,

  • and if you collect or store data from EU citizens, then GDPR applies to you.

Each of these standards has a unique scope and purpose. Some are heavier in security, while some emphasize privacy. Some requirements may “cross over,” but this doesn’t mean compliance with one mandate equals compliance with another.

For example, PCI DSS has a list of specific security controls, whereas GDPR focuses more on process and privacy. And HIPAA focuses on both privacy and security.

It’s also important to note that compliance will look different at every organization, so be careful to avoid the “check-box” mentality that can mislead data security and compliance efforts. 

Have an Upcoming PCI Audit Deadline?

Request a Quote Here

PCI DSS Compliance


Becoming PCI compliant can seem like a frustrating process, especially if you’re a small to medium-sized business.

To give you a quick overview, PCI stands for the Payment Card Industry, and consists of companies taking and processing payment transactions using major card brands like Visa, MasterCard, and American Express. These card brands came together in an effort to help regulate the industry and most importantly to help businesses and customers avoid card data theft and fraud.

As part of this organization, they formed the Payment Card Industry Security Standards Council (PCI SSC) which in turn is responsible for developing and maintaining the Payment Card Industry Data Security Standard, or the PCI DSS. This is a set of twelve specific requirement areas–or card-handling practices–that have to be followed to handle and process payment card data securely. So, because it’s an industry standard, anyone that’s accepting credit card payments has to meet these standards.

The PCI DSS was developed by the security standards council with involvement from the major card brands, but the PCI SSC is just a regulatory body not an enforcement organization; individual card brands, merchant banks, or acquirers are the organizations that actually enforce those standards. Many of the merchant banks we work with will charge a non-compliance fee, and there may be other negative consequences for merchants who don’t meet these standards.

Now that you know the purpose of PCI compliance, let’s talk about how to become compliant. In basic terms, PCI compliance can be broken down into four steps.

First, you need to identify your scope, which is basically determining how your card processing is handled at your business and where it occurs, and which PCI requirements you need to validate.

Second, you need to complete a Self-Assessment Questionnaire (or SAQ) to assess your compliance with the PCI DSS and close any security gaps you find. The way you handle card data or outsource processing will determine the type of SAQ you have to fill out. Based on your companies processing risk to card data you will have to validate more or less of the total PCI DSS requirements. If your company processes large amounts of card data you may be required to complete a full Report on Compliance written by an external Qualified Security Assessor.

Third, if you use the Internet or a website to process cards, there are typically requirements to run a vulnerability assessment scan on your systems exposed to the Internet.

And lastly, once you’ve completed your SAQ and achieved a passing scan, then your job is to report your compliance to your merchant processor.

Again, the main purpose of PCI compliance is to improve your organization’s data security. A little bit of consistent effort implementing data security principals can go a long way when it comes to deterring cyber criminals and protecting your business.

Download the latest guide to PCI compliance

Download Now

PCI DSS REQUIREMENTS OVERVIEW

REQUIREMENT 1: PROTECT YOUR SYSTEM WITH FIREWALLS

  • Install a hardware and software firewall

  • Tweak firewall configuration for your system

  • Have strict firewall rules

REQUIREMENT 2: USE ADEQUATE CONFIGURATION STANDARDS

  • Avoid using default passwords

  • Harden your systems

  • Implement system configuration management

REQUIREMENT 3: SECURE CARDHOLDER DATA

  • Encrypt stored card data

  • Find where card data is held

  • Craft your card flow diagram

REQUIREMENT 4: SECURE DATA OVER OPEN AND PUBLIC NETWORKS

  • Know where data is transmitted and received

  • Encrypt all transmitted cardholder data

  • Stop using SSL and early TLS where possible

REQUIREMENT 5: PROTECT SYSTEMS WITH ANTI-VIRUS

  • Create a vulnerability management plan

  • Regularly update anti-virus

  • Maintain an up-to-date malware program

REQUIREMENT 6: UPDATE YOUR SYSTEMS

  • Consistently update your systems

  • Patch all critical systems and software

  • Establish software development processes

REQUIREMENT 7: RESTRICT ACCESS

  • Restrict access to cardholder data

  • Document who has access to the card data environment

  • Establish an access control system

REQUIREMENT 8: USE UNIQUE ID CREDENTIALS

  • Use unique ID credentials for every employee

  • Change ID credentials

  • Configure multi-factor authentication

REQUIREMENT 9: ENSURE PHYSICAL SECURITY

  • Control physical access at your workplace

  • Keep track of POS terminals

  • Train your employees often

REQUIREMENT 10: IMPLEMENT LOGGING AND LOG MONITORING

  • Implement logging and alerting

  • Establish log management

  • Create log management system rules

REQUIREMENT 11: CONDUCT VULNERABILITY SCANS AND PENETRATION TESTING

  • Know your environment

  • Run vulnerability scans quarterly

  • Conduct a penetration test

REQUIREMENT 12: START DOCUMENTATION AND RISK ASSESSMENTS

  • Document everything

  • Implement a risk assessment process

  • Create an incident response plan

 

ADDITIONAL RESOURCES:

Download the latest guide to HIPAA Compliance

Download now

HIPAA Compliance


Securing the privacy of protected health information (PHI) is one of the focuses of the Health Insurance Portability and Accountability Act (HIPAA) passed into law in the United States. It is being expanded and improved constantly and as electronic health care data became prevalent the HIPAA Privacy and Security Rules were added in 2003. Keeping up with HIPAA privacy and security tasks can seem overwhelming, especially if you’re a small to medium-sized healthcare organization.

A main purpose of HIPAA privacy and security rules are to protect electronic health care data from being compromised, which usually occurs as a result of a hacker, unauthorized access, or employee negligence. 

Breaches within the healthcare industry are not going away, and a lot of expensive mistakes have been made by organizations in recent years. Because of the personal information often stored in healthcare systems and its potential use in identity theft, there are a lot of criminals targeting this information. 

When HIPAA privacy and security requirements are taken seriously, companies can decrease liability, increase overall security within the organization, and companies can avoid costly HIPAA fines and fees. 

One portion of the HIPAA law–Title II–covers the areas where data Privacy, Security and Breach Notification are contained. We will go into a bit more detail on each of these categories.

The Privacy Rule is often the one category that most organizations are familiar with. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information to those who need it so good care can be provided. The Privacy Rule protects all "individually identifiable health information" held or transmitted by doctors, health care organizations, or their associates, in any form or media (electronic, paper, oral, etc).

The Security Rule deals with the technical controls that should be in place to protect PHI. It establishes standards and guidelines for protecting data that can be applied to firewalls, logging, network design, encryption, and anything else that has to do with the creation, processing, transmission, and maintenance of PHI.

Lastly, the Breach Notification Rule requires organizations to have policies and procedures in place in the event that a breach of PHI data takes place. 

Healthcare organizations will continue to be at risk for data compromise, but by doing a little bit each day and by making HIPAA requirements a priority, you can make a big impact on the strength of your data security.

 

ADDITIONAL RESOURCES:

White Paper: GDPR 101

Download now


GDPR Compliance


The General Data Protection Regulation, or GDPR, is meant to harmonize data privacy laws across Europe and strengthen EU citizen’s data privacy. 

The GDPR applies to any organization that handles, processes, or stores personally identifiable information or PII of EU citizens. PII is data kept by an organization which can be used to “distinguish or trace an individual’s identity.” PII could include names, birth dates, birth places, mothers’ maiden names, addresses, emails, IP addresses, or social security/insurance numbers. 

So whether your business is located in the EU or not, if you have customers from the EU, this regulation applies to you.

Organizations found to be in non-compliance with the GDPR can be fined up to 20 Million Euros, or 4% of their annual global revenue for the preceding financial year. While this is the maximum fine, there are different tiers of fines that can be assessed to organizations that aren’t meeting GDPR requirements. So what can you do to start addressing these requirements and avoid potential fines?

First of all, you need to learn about the GDPR and how to apply its data privacy guidelines to your business. The best thing you can start doing right away is learning where PII is stored, processed, or transmitted as a result of your daily business operations. Document this carefully with flow diagrams, descriptions, etc. Be sure to talk to people throughout your organization in order to learn how they interact with PII. When it comes to PII, don’t make assumptions.

Some requirements of the GDPR are easier to interpret than others. For example, the GDPR says that data owners are required to have an opt-in choice presented to them before a company can begin storing, processing, or transmitting their personal information. It’s easy to determine whether that requirement has been met or not.

On the other hand, the GDPR states, “protect your data by design and default.” With this requirement, it can be difficult to know if you’re perfectly compliant because it eludes to any number of possible data security practices.

The next step is to start working on requirements and make necessary remediation. Think about the processes you need to fix at your organization and start fixing them to be in accordance with the GDPR. Consider working with a consultant to conduct a GDPR gap analysis to identify areas you need to focus on first.

The third step is to start thinking about all the documentation that may be required. You might have a long list of policies and procedures that need to be documented. Documentation could be a pretty big task, and you need to either create that from the ground up or find a company that has packages of this documentation that you can modify.

So in summary, the best thing you can do to meet GDPR requirements is to start doing something. This is a new regulation, so start reading a lot to get up-to-speed on what this law means. Start working on privacy and disclosure documents. Perform a GDPR Risk Analysis. In the case that you are audited by a supervisory authority, you’ll be in a much better position to protect yourself from hefty fines if you can prove you were making an effort to implement GDPR best practices. 

 

ADDITIONAL RESOURCES:

Do You Need a Penetration Test?

Find out Here

Compliance Mandate Quiz

Question 1:

If you are compliant with the PCI DSS, are you compliant with other compliance mandates (e.g., HIPAA, GDPR)? (Choose only ONE best answer.)

  1. Yes

  2. No, but your compliance to each mandate increases your data security and reduces your potential for fines and penalties.

Question 2:

Who needs to follow GDPR compliance? (Choose only ONE best answer.)

  1. Only EU organizations

  2. Only EU citizens

  3. Anyone who handles, processes, or stores  personally identifiable information or PII of EU citizens.

Question 3:

TRUE OR FALSE: A main purpose of HIPAA Privacy and Security Rules is to protect electronic health care data from being compromised. (Choose only ONE best answer.)

  1. True

  2. False

Question 4:

Should your organization have a designated person responsible for HIPAA/PCI/GDPR compliance? For example, a Security and/or Privacy Officer(s). (Choose only ONE best answer.)

  1. Yes

  2. No

Answer Code: Q1: 2, Q2: 3, Q3: 1, Q4: 1

Need Security Consulting?

Request a Quote

Create a Security Culture

Security is not a bottom-up process. Management often tells IT to “just get their organization secure.” However, those placed in charge of security and compliance may not have the means necessary to reach their goals.

For example, IT may not have the budget to implement adequate security. Some may try to look for free software to fill in security gaps, but this process can be expensive due to the time it takes to implement and manage. In some instances, we have seen that an IT department wanted their third party auditor to purposely fail their compliance evaluations so they could prove that they needed a higher security budget. Obviously, it would have been better to focus on security from the top-down beforehand.

Keep in mind that checkbox attitudes lead to breaches. C-Level management should support the process. If you are a C-level executive, you should be involved with budgeting, assisting, and promoting security best practices from the top level down to foster a strong security culture. 

Security Budget

The cost of data security entirely depends on your organization. Here are a few variables that will factor in to the cost of your overall efforts:

  • Your business type (e.g., franchise, service provider, mom-and-pop shop, or hospital): Each business type will have varying amounts of environment structure, risk levels, and sensitive data in their systems, which means each business type will have different needs.

  • Your organization size: Typically, the larger the organization, the more potential vulnerabilities it has. More staff members, more programs, more processes, more computers, more cardholder data, and more departments mean more cost.

  • Your organization’s culture: If data security is one of upper management’s top priorities, increasing security costs probably isn’t a major internal struggle. In other cases, management is very hesitant to dish out budgets to security, because they don’t understand their organization’s security liabilities.

  • Your organization’s environment: The type of processing or medical devices, the brand(s) of computers, the types of your firewalls, and the model(s) of back-end servers can all affect security costs.

  • Your organization’s required mandates: Some compliance mandates may require additional budget to be spent on security tools (e.g., PCI DSS), while others may require you to follow additional security practices to protect an individual’s privacy and records (e.g., GDPR, HIPAA).

  • Your organization’s dedicated security staff: Even with a dedicated team, organizations usually require outside assistance or consulting to help them meet data security and compliance mandate requirements.

The following are estimated annual security budgets:


SMALL ORGANIZATION BUDGET

  • Risk Analysis and Management Plan: $2,000

  • Vulnerability scan $100-$150 per IP address

  • Training and policy development $70 per employee

TOTAL POSSIBLE COST: $2,170+

 

MEDIUM ORGANIZATION BUDGET

  • Risk Assessment and Management Plan: $20,000+

  • Onsite audit $40,000+

  • Vulnerability scan $800+

  • Penetration testing $5,000+

  • Training and policy development $5,000+

TOTAL POSSIBLE COST $70,800+

 

Keep in mind this budget doesn’t include remediation security measures, such as firewalls, encryption, updating systems and equipment.

However, this is far cheaper than paying for a data breach, which can easily cost anywhere from $180,000 to $8.3 million and above.

 

OVERCOME MANAGEMENT’S BUDGET CONCERNS

If you’re having problems communicating budgetary needs to management, start by conducting a risk assessment. NIST 800-30 is a good risk assessment protocol to follow. At the end of this assessment, you’ll have an idea of your compromise probability, how much a compromise would cost, and the impact a breach might have on your organization (e.g., brand damage).

Simply put, find a way to show how much weak security will cost the organization. For example, “if someone gains access to the system through X, this is how much it will cost and damage our brand.” Consider asking marketing or accounting teams for help delivering the message in more bottom-line terms.

If possible, work with a third party security professional to come up with security controls to address the requirements to gather information on what tools you may need to implement.

 

ADDITIONAL RESOURCES:

Free Data Security Education

Sign Up for Academy