7 HITRUST Regulatory Factors to Consider for Healthcare

This article is Part One of a Four-part Series on the HITRUST Framework

When you think of HITRUST, you probably think of healthcare. After all, HITRUST was originally created as the “Health Information Trust Alliance.” Continue reading “7 HITRUST Regulatory Factors to Consider for Healthcare”

The New Normal:
Fully-Enabled Remote Audits

The new normal is anything but normal, but before we join in the chorus of “uncertain times” let’s take a moment to reflect on how standards organizations have responded to COVID-19 to enable remote audits so that organizations can continue to demonstrate trust. Continue reading “The New Normal:
Fully-Enabled Remote Audits”

How A-LIGN Helped Cloudreach Become PCI DSS Compliant

It is essential for any organization that processes, stores or transmits credit card data to be compliant with the Payment Card Industry Data Security Standard (PCI DSS)—and as the world’s largest cloud-native company, Cloudreach certainly falls within these parameters.

Continue reading “How A-LIGN Helped Cloudreach Become PCI DSS Compliant”

How to Know if an MSP is PCI DSS Compliant

Managed service providers (MSPs) provide a valuable service by outsourcing information technology services, but they need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) – and just because they say they’re PCI DSS compliant doesn’t mean they’re a good fit. Below are our tips to go beyond the PCI DSS logo on an MSP’s website and determine whether they’re truly compliant.

Continue reading “How to Know if an MSP is PCI DSS Compliant”

What to Expect from PCI DSS 3.2

Earlier this year, we wrote about how to prepare for PCI DSS 3.2. Now, organizations should begin to implement changes with the PCI DSS 3.2 official release.

These standards should be adopted as soon as is possible, as version 3.1 will expire on October 31, 2016 with all new requirements being implemented February 1, 2018 to allow organizations to prepare. Until that point, any changes are simply considered best practices.

PCI DSS 3.2 Changes

Specific changes include:

  • Additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE)
  • Incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers
  • Clarifying masking criteria for primary account numbers (PAN) when displayed
  • Including the updated migration dates for SSL/early TLS that were published in December 2015.

In addition, the PCI DSS Supplemental Designated Entities Validation criteria has officially been added as an appendix to the standard, with some PCI DSS requirements (3, 10, 11, 12) including DESV controls for service providers.

If you are unsure about how the changes may affect your specific environment, the professionals at A-LIGN are ready to help your organization determine how PCI DSS 3.2 will impact you, as well as develop an appropriate course of action. For current clients, A-LIGN’s PCI DSS experts will be reaching out to determine how PCI DSS 3.2 affects them.

If you have questions regarding PCI DSS or how version 3.2 may impact your specific environment, please contact A-LIGN. Our PCI DSS specialists are available to answer your questions at [email protected] or 1-888-702-5446.

PCI Data Security Standard Version 3.0 – Breakdown of Changes to Anticipate

By: Gene Geiger, Partner of A-LIGN

Following the 36 month lifecycle the PCI Security Standards Council (“Council”) has established for the published standards, Version 3.0 of the PCI Data Security Standard is in the final stages before it will be released on November 7, 2013.

Through several webinars and documents provided to stakeholders, the Council has provided information on the final draft in order to receive feedback at the 2013 Community that will be held in Las Vegas September 24 – 26.

The core twelve requirements remain the same, but after a review of the changes and guidance provided by the Council, the change to Version 3.0 is more comprehensive than we experienced with previous version changes. However, due to the impact of these changes and the time it may take to fully comply with the requirements of Version 3.0, Version 2.0 may be used for assessment until December 31, 2014. Nonetheless, the Council encourages adoption of Version 3.0 as soon as practical. Continue reading “PCI Data Security Standard Version 3.0 – Breakdown of Changes to Anticipate”