PCI DSS 3.0: An Overview of Core Changes

Payment Card Industry Data Security Standard 3.0 (PCI DSS) changes became effective on Jan. 1, and many businesses will be working to ensure they are meeting new and updated requirements throughout 2014.

Last month, Layered Tech become one of the first managed hosting service providers to become certified under PCI DSS 3.0 standards. Since we handle the majority of IT controls for many of our clients, it was an easy decision for us to seek certification as early as possible to help them address potential gaps in security and reporting requirements between now and the end of the year.  In 2015, all hosting providers must be in full compliance with the new PCI 3.0 standards.

The PCI DSS Lifecycle

PCI DSS (and its counterpart PA DSS) rules live on a three-year lifecycle, and PCI 3.0 began its life when announced in October 2013. Since the new standards became available in January, most cloud solutions providers (CSPs) will spend 2014 implementing the changes pushed by PCI 3.0.

Old PCI 2.0 rules are grandfathered in for 14 months (through Dec. 2014), but merchants and vendors alike will be working diligently to complete their transitions as soon as possible. Here are some of the most noteworthy changes under the new requirements that you should be aware of:

Requirements in PCI DSS 3.0 Go Beyond Compliance

The major changes in PCI 3.0 focus on raising user awareness of potential security and compliance concerns, beefing up security standards, and making user-controls more flexible. At its core, PCI focuses on securing cardholder data, so the new standards put a lot of emphasis on securing internal infrastructure, managing third-party access and authenticating systems with access to data.

  • Establish a culture of security through education. One of the largest themes of PCI DSS 3.0 is to maintain and drive accountability at every level of client organization by educating employees on security.
  • More rigorous requirements for penetration testing.  Earlier standards required some testing, but 3.0 requires more strenuous testing on both application-layer and network-layer levels, and QSAs will have to put more emphasis on penetration testing. Tests must cover the entire cardholder data environment and use an accepted testing model, like NIST. Unlike most of the PCI DSS 3.0 changes, however, organizations have until July 15, 2015 to fully comply with rules regarding penetration testing. Despite the longer deadline, we expect that penetration testing methodologies will come under increased scrutiny in years to come, so having a rigid testing method in place will be crucial.
  • Organizations must have written security agreements with service providers to define security obligations. PCI 3.0 requires that any business, third-party vendor or organization that accepts card payments is fully aware of their responsibilities in data security. The new standards provide an extra level of guidance to both CSPs and merchants to ensure that responsibility is shared, not outsourced.
  • Enhanced service provider scrutiny. CSPs must now use unique credentials for each of their clients (spurred by a data breach caused by a vendor using a single password across each environment), and must give customers documentation confirming their responsibility for data in their possession and maintaining compliance in the data environment.
  • Merchants and vendors must maintain a complete inventory of the cardholder data environment (CDE). This includes documenting each component of the environment, along with its function and purpose.

It shouldn’t be a big surprise that so many of the changes encourage CSPs and third-party vendors to share responsibility for maintaining security. So as more businesses seek help with their IT operations, third-party providers will have a  more prominent role in guaranteeing compliance. At Layered Tech, we manage all the IT controls through internal staff, without third-party support, helping clients limit scope, risk and costs.

The Value of Early Adoption

Since all organizations – vendors, assessors and CSPs alike — must adhere to the new standard by the end of 2014, Layered Tech felt it was important to achieve early certification. As our clients begin to recertify for their own business, we can now safely manage their controls and leave no gaps between their compliance efforts and our own. Layered Tech has always been on the leading edge of PCI DSS certification, and we continue to support the needs of our clients by staying ahead of the curve.

About the Author: Dennis Pickard holds CIA & CISA certifications and is the IT Audit Lead in the Compliance and Security Group of Layered Tech. He has more than 20 years of experience in compliance and technology audits, primarily in the Financial Services industry. Throughout his professional career, he has directed and performed numerous HIPAA security and privacy analysis activities.

 

6 Healthcare Incubators That Are Growing the Future of Business

We all know that small businesses are the engine of America’s economy. Luckily, there are groups out there that have made it their mission to help small businesses and startups survive long enough to change the world: business incubators. By providing funding, mentorship and office space to startup companies, incubators give businesses the time and resources to refine their technologies and services while finding investors and customers.

While incubators help turn bright ideas into real consumer products and services, they also create new opportunities for established businesses. As startups are mentored and helped through their early phases, they become invaluable investment and partnership opportunities for other service companies.

Below, we’ll introduce you to some of the leading incubators in the healthcare industry, one of our economy’s fastest growing sectors. These incubators have a proven track record in helping innovative young companies bring new ideas and services to consumers and businesses.

The Top-Six Healthcare Incubators and Accellerators

Rock Health Rock Health invites early stage companies to work within the incubator and receive funding and mentorship from a variety of companies and health organizations. Rock Health notes that 18% of our economy is healthcare-based, but it’s one of the last industries to receive a tech makeover.  With more than 50 active startups in its portfolio, Rock Health is one of the most experienced healthcare incubators, especially for startups that focus on providing web services, mobile applications and SaaS solutions for healthcare providers and companies.

Health Wildcatters – Health Wildcatters is a mentorship-driven healthcare seed accelerator in Dallas; slightly different than an incubator. Though similar to incubators in their goals, accelerators typically acquire a small amount of equity in a startup, then work quickly to help a company achieve a short-term goal like raising money or launching a product. While incubators house companies for months or years, accelerators like Health Wildcatters work in weeks. Health Wildcatters focuses mainly on early-stage healthcare technology startups, including IT, SaaS, digital health and mobile health companies. Companies receive an initial seed investment and a 12-week program in which Health Wildcatters works quickly to help the company build value and refine its product. The name “wildcatter” hearkens back to independent oil entrepreneurs who were willing to take risks in where they drilled. Health Wildcatters takes the same approach to finding companies. This entrepreneurial approach allows it to help more startups reach their goals.

StartUp Health –Chaired by TimeWarner CEO Jerry Levin, this incubator aims to fund 1,000 healthcare companies within the next decade to help transform the face of the healthcare industry. StartUp Health works to build sustainable growth in its companies over a three-year period. During the incubation period, StartUp Health matches companies with a network of more than 10,000 health professionals and business people focused on improving digital health and wellness.

The Iron YardWith its first location in Asheville, NC, the Iron Yard is growing a network of incubators focused on growing new areas of technology like digital health, green tech and emerging technologies. Its digital health accelerator, located in Spartanburg, SC, is working to turn one of the nation’s oldest railroad junctions into a hub for digital health innovation. The Iron Yard offers startups $20,000 in seed capital and three months of mentorship and workshops from experts in design, development and financing. The Iron Yard also offers training in web development and programming to place graduates with the startup companies it supports.

Blueprint HealthBlueprint Health, located in New York City, is one of the largest incubators in any niche and offers an expansive network of healthcare mentors to assist healthcare entrepreneurs launch new ventures. Blueprint Health focuses on companies developing tech projects directly for hospitals, physicians and health plans rather than consumer-facing applications, which means deeper access to established customers. In 2013, Blueprint Health focused its efforts on mature startups companies. While many incubators assist early-stage companies, more than half of Blueprint’s mentees already had paying customers. With more than 12,000 sq. ft. of space and two classes per year, Blueprint Health is able to help more than 100 healthcare companies each year.

Healthbox Healthbox offers accelerator programs in Boston, Chicago, Tampa, London, Nashville and Salt Lake City that provide  digital health entrepreneurs with funding and access to a global network of healthcare investors and providers. Healthbox launched its first accelerator program in Chicago in 2012 and quickly grew to other states and the UK. It recently expanded its business programs with $7 million in funding and started a program that helps hospitals create their own in-house Healthbox accelerator programs that, in turn, help companies gain traction within their own medical communities. So far, Healthbox has invested in 56 active startups, supported by a network of more than 350 expert mentors.

It Doesn’t End at the Incubator

Incubators do an incredible job of supporting young companies with startup capital, office space, design and marketing help and more. But, there are some services that most incubators just aren’t able to provide, especially to startups that handle sensitive information like personal health information and payment information. Securing that data and complying with the regulations that protect sensitive information can be a difficult process for a startup to undertake alone.

Since startups have to make every dollar stretch as far as they can, hiring IT staff and maintaining compliant data infrastructure can be out of reach. Luckily, startups can find partners outside of their incubator space that can help them meet data security and compliance standards. Layered Tech is committed to helping startups do just that. With a three-year commitment through the Layered Tech Startup Program, qualified businesses can receive the first six months of cloud hosting and compliance management free and the subsequent six months at a 50-percent discount. Layered Tech is proud to partner with startups to drive innovation in the healthcare and payments industries, and as a leader in secure cloud and compliant hosting solutions, understands the importance of helping startups focus on growing their business, and securing their data.

About the Author: As Director of Partner Sales for Layered Tech, Steve Chu (@stevendkchu) brings over 9 years of experience to the Payment and PCI Compliant Hosting industry.  His background prior to Layered Tech was with HMS/Micros Systems, which provides a point-of-sale solution for the hospitality industry, and also with global IT consulting firm, Sogeti Capgemini.

How to Ensure a Smooth Data Center Migration

We know that the word “migration” is enough to make most IT professionals lose sleep, and for good reason. Moving production data and applications to a new data center can be an undertaking, but it doesn’t have to be a nightmare. Properly managing a data  and application migration begins with a plan and understanding the needs of your business.

There are two types of data migrations: forced migrations and planned migrations. Obviously, a planned data migration offers more opportunity to strategize your move around hardware lifecycles, development timelines and the needs of your business. Forced, emergency migrations are certainly not as easy, but they can be managed easily if you and your IT staff and resources take the proper steps beforehand to ensure a smooth transition. Here are a few tips to truly prepare for data migration.

Continue reading ‘How to Ensure a Smooth Data Center Migration’

The Benefits and Challenges of Virtual Machine Hosting

The beauty of virtualization and cloud computing is that it is easier for enterprises of all size to benefit from the high performance and availability of our network without the cost of running your own hardware. Virtual machines are ideal for small-to-medium enterprises that need reliable service at low cost, and Layered Tech surpasses other Virtual Private Server companies by providing guaranteed levels of service and support.

But just like running your own hardware, there are a number of advantages and disadvantages to virtual machine hosting. If you’re wondering if a virtual hosting environment is right for you, we have you covered.

Continue reading ‘The Benefits and Challenges of Virtual Machine Hosting’

Health Wildcatters – As the Seed Grows

So, you’re an entrepreneur with a bright idea around technology in the healthcare industry. You have the necessary technical and business knowledge and you’ve put together a small, dedicated team. You’ve planted your technology seed and you’re bootstrapping your business.

Everything at this point is relying on you. Whether you succeed or fail depends, arguably, on whom you know, what your cash flow situation is, the guidance available to you, having a competitive advantage, and even having a workplace environment conducive to development of your idea. Without these things, your technology seed may never take root.

Continue reading ‘Health Wildcatters – As the Seed Grows’

Capturing Conversions: Why Milliseconds Matter to the Bottom Line

There’s an old saying we all deal with every day: time is money. On the Internet, money can be measured pretty well by one important metric: page load time. Research has shown consistently that user experience is important and functionality is useful, but nothing will cause a customer to jump ship quicker than a slow website.

In fact, Microsoft claims that 250 milliseconds can be the difference between a return customer and an abandoned checkout cart.

Continue reading ‘Capturing Conversions: Why Milliseconds Matter to the Bottom Line’

Visit Layered Tech at HIMSS14

On September 23, 2013 the HIPAA Omnibus Rule went into effect. This rule provides further clarification to a complex set of requirements. It also defines some potentially catastrophic penalties associated with a Protected Health Information (PHI) or Electronic Protected Health Information (ePHI) breach.

Whether your company is a Business Associate, or a Covered Entity, the HIPAA Omnibus Rule has a significant impact on the policies and security measures in place for your hosting environments.

Continue reading ‘Visit Layered Tech at HIMSS14′

PCI Compliance Management: What To Expect



Many hosting providers offer a PCI- or a HIPAA-compliant solution that meets industry standards for high security and includes various tools to enable compliance. But at Layered Tech, we’ve taken this up several notches by offering complete compliance management through our Layer 4 Compliant Services.

With Managed Compliance, we take care of the majority of the work needed to pass a PCI audit. In fact, our clients are able to offload up to 80% of the 220 PCI controls, when they engage our Guaranteed Compliant offering.  This work includes taking on roles and responsibilities like centralized logging, change control, managing code rolls, full documentation, and audit support.

Continue reading ‘PCI Compliance Management: What To Expect’

Top 10 HIPAA Data Breaches of 2013

With 2013 in the books, it’s time to look back at some of the biggest health information privacy blunders of the year. The list below represents the ten largest HIPAA data breaches as tracked by the U.S. Department of Health & Human Services (HHS), based on the total numbers of affected individuals.

While penalties haven’t been handed down and lawsuits settled, each of the below likely represent millions of dollars in fines and settlements. For example, during 2013 HHS handed out penalties ranging from $150,000 to $1.7 million. Potential class action lawsuits and the cost of providing fraud protection for those affected can quickly propel those costs into the tens of millions or even billions.

So on that happy note, let’s dive in!

Continue reading ‘Top 10 HIPAA Data Breaches of 2013′

iHT2 Health IT Summit Preview: Three Hot Topics


Hi, I’m Steve Chu from Layered Tech. Next week I will be attending the iHT2 Health IT Summit in Austin, Texas along with Jeff Reich, Layered Tech’s Chief Risk Officer.

The Health IT Summit is one of several regional events conducted by the Institute for Health Technology Transformation (iHT2). We look forward to attending this summit and engaging in discussions about the rapid evolution of technology in the healthcare industry. Continue reading ‘iHT2 Health IT Summit Preview: Three Hot Topics’