For any organization that stores, interprets and manages sensitive data, complying with cybersecurity requirements is of utmost importance. The most comprehensive way to test the strength and effectiveness of these systems is through a compliance assessment. Beginning this process, however, is no easy feat. “Top Tips for Effective Audit Preparation”
A strong cybersecurity and risk posture is increasingly important in today’s business world, which is why it is imperative that private equity investors build cybersecurity and privacy modules into their due diligence. “Why Cybersecurity and Privacy Due Diligence is Important for Private Equity Firms”
Managed service providers (MSPs) provide a valuable service by outsourcing information technology services, but they need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) – and just because they say they’re PCI DSS compliant doesn’t mean they’re a good fit. Below are our tips to go beyond the PCI DSS logo on an MSP’s website and determine whether they’re truly compliant.
Since 2007, the HITRUST Common Security Framework (CSF) has been recognized as a well-rounded and certifiable security framework for any organizations of all sizes and industries. With the upcoming CSF v9.3 update, HITRUST continues to demonstrate its value for any organization by expanding to incorporate new frameworks, legislation and standards.
What is the HITRUST CSF?
The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001, NIST 800-171, HIPAA/HITECH, PCI DSS, GDPR and more into one comprehensive system, the HITRUST CSF saves time and energy by assessing once and reporting many.
Thanks to its ability to combine several assessments and frameworks into one framework, the HITRUST CSF allows clients to decide what they want to test against and get controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.
Originally designed specifically for the healthcare industry, the recent HITRUST CSF v9.2 grew the framework to make it useful for any organization around the globe.
CSF v9.3 will be released Q3 of 2019 and the HITRUST organization has detailed the additional regulatory factors that will be added to the framework.
Incorporation with the California Consumer Privacy Act
One of the most notable updates in CSF v9.3 is the incorporation of new standards and regulations, including requirements placed on organizations by the California Consumer Privacy Act (CCPA).
Passed in 2018, the CCPA was built to be similar to the European Union’s General Data Protection Regulation (GDPR) and takes a stronger stance to protect the sharing, transmission and storage of consumer data. The CCPA legislation goes into effect on January 1, 2020, with the enforcement of the law starting on July 1, 2020.
Not only does the HITRUST CSF v9.3 incorporate standards and regulations from the CCPA, it reflects key differences between the CCPA and GDPR, including requirements for data access, applicability and requirements for opt-out methods.
Other Important Updates to CSF v9.3
Aligning the HITRUST CSF with the CCPA is only one of the updates to the HITRUST framework. CSF v9.3 also updates the framework to incorporate other authoritative sources, including:
- The Federal Risk and Authorization Management Program (FedRAMP)
- The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1
- Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1
- IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information
- South Carolina’s Bill 4655, the Insurance Data Security Act
Who Should Migrate to CSF v9.3
If your entity wants to add any of the six regulatory factors outlined above to your HITRUST assessment, you will need to undergo CSF v9.3. If you are not interested in adding these factors, you can instead opt to undergo CSF v9.1 or CSF v9.2.
By giving organizations more choice to better fit their needs, the HITRUST CSF continues to position itself as a valuable, powerful and flexible framework for organizations of all sizes across all industries.
The A-LIGN Difference
A-LIGN’s experience and commitment to quality helped over 130 clients successfully achieve HITRUST certification. Our vigorous process outlined above helps you prepare for the HITRUST assessment, and our team of HITRUST experts are here to answer any question you might have through every step of the process by answering all inquiries within twenty-four hours. With A-LIGN, you’re on the right path to HITRUST certification success.
Interested in pursuing the HITRUST CSF for your organization? Contact A-LIGN at 1-888-702-5446 to speak with one of our cybersecurity and compliance professionals.
Cybersecurity examinations are an important undertaking for your organization, its health and projected future. With no shortage of firms and examination types to choose from, preparing to undergo an audit or assessment can feel like a massive undertaking. Is the firm cutting corners reliable? Is the accessor able to deliver on their lofty promises? And how can you tell if they’re providing quality work?
Organizations around the world, especially ones in the HITRUST XChange program, are moving to quickly implement the HITRUST Common Security Framework (CSF) for their organization. With the recent HITRUST CSF v9.2 update, organizations across all industries – not just healthcare – can benefit greatly from the HITRUST framework.
In April 2016, the Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standard (PCI DSS) version 3.2. With the updates came clarification to requirements, additional guidance, and the additional seven new requirements. “PCI DSS v3.2 and the Penetration Testing Requirements for Service Providers”
Visa has released new tools and changes, which add value to service providers who store, process, or transmit cardholder data on behalf of merchants or other entities.
For years, Visa has offered service providers the Visa Global Registry of Service Providers, a prestigious list of entities which meet certain criteria and have completed a PCI DSS assessment from a Qualified Security Assessor (QSA).
The registry ensures the merchants that the service providers they are using have met a rigorous standard of security compliance, which in turn helps merchants meet their own PCI DSS and security requirements. To increase the visibility of third party agents, especially merchant agents, and help acquirers comply with third party agent registration requirements, Visa recently eliminated the merchant servicer registration fee.
In the past, identifying an acquiring relationship for sponsorship on the Visa list has also been a hurdle, but Visa launched its Merchant Servicer Self-Identification Program (MSSIP),which helps Merchant Servicers identify acquiring bank relationships to facilitate agent registration.
In addition to the changes to the Global Registry and MSSIP, service providers can also look forward to the Visa Badge and new guidance.
- Visa Badge – Soon, service providers qualifying for the Global Registry can proudly display a logo on their website which verifies their eligibility and links to the registry.
- New Guidance. Visa has published a new flyer to help eCommerce providers, such as those hosting a payment page, providing gateway services or services that support online payments, to better navigate and understand the options. Although it is possible to provide some service to merchants and not be required to participate in the Visa Third Party Agent Registration Program, savvy merchants will increasingly ask, so understanding the program is critical.
In September, Global Registry enhancements went live to feature early PCI DSS v3.2 adopters. In addition, aesthetic changes to the Global Registry website are expected during 2017 to improve website navigation.
These enhancements encourage service providers to increase security and participate in the program, which in turn instills confidence in the merchants that utilize their services. For more information on how your organization can be listed in the Visa Global Registry of Service Providers, contact A-LIGN at firstname.lastname@example.org to speak to one of our security professionals
MasterCard has revised its Standards to allow for collection agents to accept signature debit cards in the US. This revision is effective immediately and will be reflected in upcoming versions of MasterCard Rules.
This change does not affect MasterCard’s credit transaction rules, and those transactions will remain prohibited as satisfactory payment for uncollectable obligations. The change is strictly effective in the United States, and additionally does not affect MasterCard’s Payday Lending Standards.
The adjustment will have an effect on collections agencies because it allows them to change the way in which customers provide payment. The modification also has the potential to heighten the scope of PCI assessments and requirements within the collections realm. A-LIGN can assist your organization with your PCI compliance through security consulting related to PCI DSS, conducting gap assessments, validating compliance through a Report on Compliance or Self-Assessment, and penetration testing.
Need assistance in determining how this change could affect your environment? Let A-LIGN assist you with all of your PCI compliance needs. Contact us today at email@example.com or 1-888-702-5446.
Earlier this year, we wrote about how to prepare for PCI DSS 3.2. Now, organizations should begin to implement changes with the PCI DSS 3.2 official release.
These standards should be adopted as soon as is possible, as version 3.1 will expire on October 31, 2016 with all new requirements being implemented February 1, 2018 to allow organizations to prepare. Until that point, any changes are simply considered best practices.
PCI DSS 3.2 Changes
Specific changes include:
- Additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE)
- Incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers
- Clarifying masking criteria for primary account numbers (PAN) when displayed
- Including the updated migration dates for SSL/early TLS that were published in December 2015.
In addition, the PCI DSS Supplemental Designated Entities Validation criteria has officially been added as an appendix to the standard, with some PCI DSS requirements (3, 10, 11, 12) including DESV controls for service providers.
If you are unsure about how the changes may affect your specific environment, the professionals at A-LIGN are ready to help your organization determine how PCI DSS 3.2 will impact you, as well as develop an appropriate course of action. For current clients, A-LIGN’s PCI DSS experts will be reaching out to determine how PCI DSS 3.2 affects them.