Archive for the 'Industry Expert' Category

PCI DSS 3.0: An Overview of Core Changes

Payment Card Industry Data Security Standard 3.0 (PCI DSS) changes became effective on Jan. 1, and many businesses will be working to ensure they are meeting new and updated requirements throughout 2014.

Last month, Layered Tech become one of the first managed hosting service providers to become certified under PCI DSS 3.0 standards. Since we handle the majority of IT controls for many of our clients, it was an easy decision for us to seek certification as early as possible to help them address potential gaps in security and reporting requirements between now and the end of the year.  In 2015, all hosting providers must be in full compliance with the new PCI 3.0 standards.

The PCI DSS Lifecycle

PCI DSS (and its counterpart PA DSS) rules live on a three-year lifecycle, and PCI 3.0 began its life when announced in October 2013. Since the new standards became available in January, most cloud solutions providers (CSPs) will spend 2014 implementing the changes pushed by PCI 3.0.

Old PCI 2.0 rules are grandfathered in for 14 months (through Dec. 2014), but merchants and vendors alike will be working diligently to complete their transitions as soon as possible. Here are some of the most noteworthy changes under the new requirements that you should be aware of:

Requirements in PCI DSS 3.0 Go Beyond Compliance

The major changes in PCI 3.0 focus on raising user awareness of potential security and compliance concerns, beefing up security standards, and making user-controls more flexible. At its core, PCI focuses on securing cardholder data, so the new standards put a lot of emphasis on securing internal infrastructure, managing third-party access and authenticating systems with access to data.

  • Establish a culture of security through education. One of the largest themes of PCI DSS 3.0 is to maintain and drive accountability at every level of client organization by educating employees on security.
  • More rigorous requirements for penetration testing.  Earlier standards required some testing, but 3.0 requires more strenuous testing on both application-layer and network-layer levels, and QSAs will have to put more emphasis on penetration testing. Tests must cover the entire cardholder data environment and use an accepted testing model, like NIST. Unlike most of the PCI DSS 3.0 changes, however, organizations have until July 15, 2015 to fully comply with rules regarding penetration testing. Despite the longer deadline, we expect that penetration testing methodologies will come under increased scrutiny in years to come, so having a rigid testing method in place will be crucial.
  • Organizations must have written security agreements with service providers to define security obligations. PCI 3.0 requires that any business, third-party vendor or organization that accepts card payments is fully aware of their responsibilities in data security. The new standards provide an extra level of guidance to both CSPs and merchants to ensure that responsibility is shared, not outsourced.
  • Enhanced service provider scrutiny. CSPs must now use unique credentials for each of their clients (spurred by a data breach caused by a vendor using a single password across each environment), and must give customers documentation confirming their responsibility for data in their possession and maintaining compliance in the data environment.
  • Merchants and vendors must maintain a complete inventory of the cardholder data environment (CDE). This includes documenting each component of the environment, along with its function and purpose.

It shouldn’t be a big surprise that so many of the changes encourage CSPs and third-party vendors to share responsibility for maintaining security. So as more businesses seek help with their IT operations, third-party providers will have a  more prominent role in guaranteeing compliance. At Layered Tech, we manage all the IT controls through internal staff, without third-party support, helping clients limit scope, risk and costs.

The Value of Early Adoption

Since all organizations – vendors, assessors and CSPs alike — must adhere to the new standard by the end of 2014, Layered Tech felt it was important to achieve early certification. As our clients begin to recertify for their own business, we can now safely manage their controls and leave no gaps between their compliance efforts and our own. Layered Tech has always been on the leading edge of PCI DSS certification, and we continue to support the needs of our clients by staying ahead of the curve.

About the Author: Dennis Pickard holds CIA & CISA certifications and is the IT Audit Lead in the Compliance and Security Group of Layered Tech. He has more than 20 years of experience in compliance and technology audits, primarily in the Financial Services industry. Throughout his professional career, he has directed and performed numerous HIPAA security and privacy analysis activities.

 

Health Wildcatters – As the Seed Grows

So, you’re an entrepreneur with a bright idea around technology in the healthcare industry. You have the necessary technical and business knowledge and you’ve put together a small, dedicated team. You’ve planted your technology seed and you’re bootstrapping your business.

Everything at this point is relying on you. Whether you succeed or fail depends, arguably, on whom you know, what your cash flow situation is, the guidance available to you, having a competitive advantage, and even having a workplace environment conducive to development of your idea. Without these things, your technology seed may never take root.

Continue reading ‘Health Wildcatters – As the Seed Grows’

Migration: One of the Most Overlooked Service Capabilities of a Cloud Provider

There has been a great deal of innovation around automated provisioning, scaling and decommissioning of cloud services in the past couple of years. The primary driver of this innovation is the ability to easily consume cloud services and pay only for the services that are being used. Creating cloud servers and appliances has become a remedial task to the end user with point-and-click provisioning being performed via slick web portals, while modern day cloud orchestration systems do the heavy lifting on the backend provisioning of the services that were ordered.

Continue reading ‘Migration: One of the Most Overlooked Service Capabilities of a Cloud Provider’

Why Education and Certification Matters for Tech Service Providers

It seems obvious that better trained employees will have a positive impact in any business. Yet, a recent survey by Accenture found that 35% of executives say they have not invested enough in training to develop the skills they need, and 64% anticipate loss of revenue due to this skill gap

Continue reading ‘Why Education and Certification Matters for Tech Service Providers’

10 Reasons Why Migrating to the Cloud Makes Sense

I had the opportunity to attend and speak at recent KANAConnect events in the US and Europe. I was surprised and delighted at the breadth of discussion and focus placed on cloud computing and the forward-thinking direction of many of the attendees.

One thing that was quite clear and different from what I’d experienced at past KANA events was the overall mindset towards the cloud playing a larger role in the future growth plans of the majority of the companies in attendance.

Continue reading ’10 Reasons Why Migrating to the Cloud Makes Sense’

Healthcare Startups, HIPAA Compliance, and Texas Hold ‘Em

Your healthcare startup has just secured its second or third round of funding as you prepare to move your apps out of beta testing and into the marketplace. It’s a heady time; your team is filled with anticipation over the impact your solutions could potentially have on the lives of millions. That is, if you last long enough to overcome all the pitfalls and obstacles that startups are subject to. You need to keep one eye on your burn rate and make sure that you’re prioritizing every dollar spent.

Continue reading ‘Healthcare Startups, HIPAA Compliance, and Texas Hold ‘Em’

Startups That Fly – Layered Tech’s Role

As Director of Compliance and Security services at Layered Tech since 2008, I have seen our Compliant Services business grow significantly during that time. With that growth, there has been a noticeable phenomenon related to our startup clients who have reached an attractiveness level high enough to become acquisition targets.

We are in a unique position to see this happen from start to finish. It is a behind-the-scenes supporting role where our economy of scale and simplified audit-service goals lend upward momentum. I have seen this happen several times, including with Layered Tech itself. It is a topic that deserves some background, so let me lay out an example of what I mean.

Continue reading ‘Startups That Fly – Layered Tech’s Role’

Q4 Update From Layered Tech CEO Jack Finlayson

I’m excited to update you on the progress and status of Layered Technologies (LT) Inc. as we begin the fourth quarter of 2013.

Continue reading ‘Q4 Update From Layered Tech CEO Jack Finlayson’

Preparing for New Payment Card Industry Data Security Standards

The PCI DSS (Payment Card Industry Data Security Standard) is in a release cycle this year, meaning version 3.0 will be released shortly. At this year’s recent Community Meeting of the PCI Security Standards Council, much discussion centered on the new version of the standard, which is why both me and our Chief Risk Officer, Jeff Reich, attended.

Continue reading ‘Preparing for New Payment Card Industry Data Security Standards’

What You Need To Know About Application Performance Management

I have seen a shift in responsibility for overseeing and managing applications. Application monitoring and management is increasingly moving from application architects and developers and into IT operations. Our clients’ IT management folks are expected to be responsible for ensuring application health and performance and therefore are increasingly relying upon Layered Tech to provide management information and dashboard.

Continue reading ‘What You Need To Know About Application Performance Management’