Many industries have compliance standards in place that mandate protection of sensitive data and the privacy of those to whom it pertains. These requirements ensure that businesses across an industry utilize the same processes and practices.
The Payment Card Industry Data Security Standard, for example, impacts organizations in and out of the commerce and retail markets, extending to any company that stores, processes or transmits cardholder information. Another common compliance standard is the Health Insurance Portability and Accountability Act and its Privacy and Security Rules. These are applicable to covered entities, business associates and any organization that provides healthcare treatment or payment processing services.
When it comes to compliance, there are a few best practices to observe. It's also imperative that organizations within these and other industries with similar compliance standards understand the potential consequences – to their companies and their clients – if they do not comply. Industry requirements like these should also be factored in when selecting a technology service provider.
PCI DSS compliance and consequences
According to the PCI Security Standards Council, PCI DSS compliance includes three best practices:
- Assess and identify the cardholder information the company deals with, and take inventory of the IT systems and procedures used to process and store this information. During this time, businesses should also look for any potential vulnerabilities in their systems that could possibly put cardholder details at risk.
- Remediate and repair any issues identified in the first step. In addition, retailers and other enterprises should also refrain from storing cardholder data unless they absolutely need to. Storing this information when it is not required could add to the potential risk.
- Report and submit the necessary validation records to authorities, if needed. Companies should also complete and turn in compliance reports to the bank and card brands they are associated with.
Adhering to PCI DSS can be an individualized process, and businesses should be sure they contact their payment brand or acquirer to find out the exact requirements they need to align with.
The PCI Security Standards Council does not check for compliance, nor does it impose sanctions for those that are not compliant. However, this does not mean there aren't consequences. The Council pointed out that the payment brands companies work with may have their own initiatives through which they are empowered to manage compliance and set forth punishments when necessary. In addition, if a breach occurs because of noncompliance, the retailer's customer base and brand image could suffer severely.
HIPAA compliance and consequences
According to Online Tech, HIPAA compliance involves the HIPAA Privacy Rule, which outlines the requirements for storing, accessing and transmitting patients' health data to outside organizations. In addition, the Security Rule lays down the national security standards necessary to safeguard electronic protected health information, or ePHI, when maintaining, transmitting or receiving it.
The American Medical Association noted that there is a wide range of consequences for organizations that don't comply with the rules of HIPAA, including civil or criminal penalties that range in severity according to the offense. For instance, a HIPAA violation that comes in connection with willful neglect carries a penalty of $10,000 to $50,000 per violation – where "per violation" can mean per record exposed. This can pile up quickly, and seven-figure penalties are not unheard of.
Compliance with technological services: HIPAA and PCI DSS are not interchangeable
"Industry requirements like these should also be factored in when selecting a technology service provider."
Compliance is essential throughout an organization, and even extends to its technology services. Organizations that are governed by industry standards must ensure that the vendors they utilize – particularly for hosting and other services – are compliant as well. However, when selecting a compliant hosting provider, it's imperative to understand that compliance doesn't mean the same thing to every type of data or every industry.
"When thinking about compliance, many companies assume PCI DSS is interchangeable with HIPAA. Otherwise it is assumed that the gap between the two is small," noted Mike Klein, Online Tech president and COO and Data Center Knowledge contributor. "This ignores that HIPAA and PCI DSS compliance protect different types of information, with different audit guidelines, safeguard requirements and consequences for non-compliance or breaches."
Therefore, it's critical that organizations understand their requirements when it comes to industry compliance, and find a hosting provider that offers compliant-specific services.
Hostway offers security solutions specially crafted to comply with the regulations of a number of industry standards, including PCI DSS and HIPAA. Contact Hostway today to find out more about how we can help your company achieve compliance.