Identity theft and fraud attempts are global problems. Since 2005, the Privacy Rights Clearinghouse estimates that more than 500 million records containing sensitive data have been breached. To combat this threat, the big five credit card companies (Visa, MasterCard, American Express, Discover and JCB) partnered in 2006 to create the Payment Card Industry Data Security Standard (PCI DSS).
For those conducting business online, complying with these standards is crucial to protecting your organization and your customers.
“Customers are increasingly aware of the need to guard their personal information and demand a high level of data security around any electronic transaction they make,” says Daniela Hagen, a compliance manager at cleverbridge, a global ecommerce provider for digital products. “PCI DSS compliance allows organizations to stay ahead of security vulnerabilities, prevent fines, and increase overall security levels; this not only allows them to be compliant but also makes them more trustworthy and competitive.”
In this post, we highlight three prominent security standards and explain why you should strive for compliance as soon as possible.
In 2005-2006, hackers stole more than 90 million customer credit and debit card numbers from TJX Companies. Investigators discovered that TJX did not adequately follow PCI standards, and as a result, the U.S. government estimated that companies, banks and insurers lost close to $200 million.
PCI DSS provides a comprehensive road-map to help organizations ensure the safe handling of cardholder information. This road-map comprises technical and operational requirements set by the PCI Security Standards Council (PCI SSC) that rule over the entire payment process and data storage organization. Merchants and service providers are classified by transaction volume over a 12-month period to determine the level of PCI guidelines to follow.
PCI is organized by six overarching steps:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
In 2011, PCI SSC implemented version 2.0, enhancing standards to reflect changes in technology and emerging security pitfalls. This latest version provides even more guidance and clarification on the earlier edition of the regulations.
If your ecommerce system is maintained internally, your organization should comply with PCI DSS. If you outsource your ecommerce solution, make sure your ecommerce provider does. Visit PCI’s website and take the Self-Assement Questionnaire to determine your security readiness.
The American Institute of Certified Public Accounts (AICPA) developed the Statement on Auditing Standards No. 70 (SAS 70) to act as a resource for independent certified public accountants (CPAs).
Specifically designed as a guide to auditors, SAS 70 requires that hosts of data centers and service organizations demonstrate extensive controls and safeguards against security threats. The review is conducted by an independent auditor, and companies must demonstrate that they have designed control objectives effectively. By passing the audit, an organization makes customers aware that the appropriate security defenses are present where customer data is held.
This June, the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) replaced SAS 70. The SSAE 16 will update the reporting standard so that it complies with international reporting standards. Is your company ready for a SSAE 16review? Take Deloitte’s SSAE 16 Readiness Assessment to evaluate your company.
US-EU Safe Harbor is an adaptation of the European Union Directive 95/46/EC code that protects personal data. Though the U.S. and Europe take a different approach to privacy, the Safe Harbor framework is a streamlined way for U.S. organizations to comply with U.S. Department of Commerce and European Commission regulations. Compliance with Safe Harbor is essential for companies doing business in Europe. Safe Harbor adherence ensures that your organization follows the European Union Directive on Data Protection, allowing your business to establish credibility with European customers.
The governing elements of these standards, the Safe Harbor Principles, were developed to prevent accidental information disclosure or loss. There are seven elements that participants must adhere to:
- Notice – Individuals must be informed that their data is being collected and how it will be used.
- Choice – Individuals must have the ability to choose whether their personal information will be disclosed to a third party.
- Onward Transfer – To disclose customer information with a third party, organizations must apply notice and choice principles.
- Security – Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity – Data must be relevant and reliable for the purpose it was collected.
- Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement – There must be effective means of enforcing these rules
Visit the US – EU Safe Harbor guidelines to learn more.
Commitment to Security
All three classifications require that followers re-apply every 12 months. Though they all come with cost, compliance with these three data security standards is an invaluable reputation builder. These organizations have done the hard work for you and following their rules indicates that you have set a high standard of security.
Commit to data protection, improve your security standards and combat customer fear of identity theft by complying with objective security standards like PCI DSS, SAS 70, and US-EU Safe Harbor.
Samantha Vizer contributed to this blog post.