Archive for the 'LT News' Category

PCI DSS 3.0: An Overview of Core Changes

Payment Card Industry Data Security Standard 3.0 (PCI DSS) changes became effective on Jan. 1, and many businesses will be working to ensure they are meeting new and updated requirements throughout 2014.

Last month, Layered Tech become one of the first managed hosting service providers to become certified under PCI DSS 3.0 standards. Since we handle the majority of IT controls for many of our clients, it was an easy decision for us to seek certification as early as possible to help them address potential gaps in security and reporting requirements between now and the end of the year.  In 2015, all hosting providers must be in full compliance with the new PCI 3.0 standards.

The PCI DSS Lifecycle

PCI DSS (and its counterpart PA DSS) rules live on a three-year lifecycle, and PCI 3.0 began its life when announced in October 2013. Since the new standards became available in January, most cloud solutions providers (CSPs) will spend 2014 implementing the changes pushed by PCI 3.0.

Old PCI 2.0 rules are grandfathered in for 14 months (through Dec. 2014), but merchants and vendors alike will be working diligently to complete their transitions as soon as possible. Here are some of the most noteworthy changes under the new requirements that you should be aware of:

Requirements in PCI DSS 3.0 Go Beyond Compliance

The major changes in PCI 3.0 focus on raising user awareness of potential security and compliance concerns, beefing up security standards, and making user-controls more flexible. At its core, PCI focuses on securing cardholder data, so the new standards put a lot of emphasis on securing internal infrastructure, managing third-party access and authenticating systems with access to data.

  • Establish a culture of security through education. One of the largest themes of PCI DSS 3.0 is to maintain and drive accountability at every level of client organization by educating employees on security.
  • More rigorous requirements for penetration testing.  Earlier standards required some testing, but 3.0 requires more strenuous testing on both application-layer and network-layer levels, and QSAs will have to put more emphasis on penetration testing. Tests must cover the entire cardholder data environment and use an accepted testing model, like NIST. Unlike most of the PCI DSS 3.0 changes, however, organizations have until July 15, 2015 to fully comply with rules regarding penetration testing. Despite the longer deadline, we expect that penetration testing methodologies will come under increased scrutiny in years to come, so having a rigid testing method in place will be crucial.
  • Organizations must have written security agreements with service providers to define security obligations. PCI 3.0 requires that any business, third-party vendor or organization that accepts card payments is fully aware of their responsibilities in data security. The new standards provide an extra level of guidance to both CSPs and merchants to ensure that responsibility is shared, not outsourced.
  • Enhanced service provider scrutiny. CSPs must now use unique credentials for each of their clients (spurred by a data breach caused by a vendor using a single password across each environment), and must give customers documentation confirming their responsibility for data in their possession and maintaining compliance in the data environment.
  • Merchants and vendors must maintain a complete inventory of the cardholder data environment (CDE). This includes documenting each component of the environment, along with its function and purpose.

It shouldn’t be a big surprise that so many of the changes encourage CSPs and third-party vendors to share responsibility for maintaining security. So as more businesses seek help with their IT operations, third-party providers will have a  more prominent role in guaranteeing compliance. At Layered Tech, we manage all the IT controls through internal staff, without third-party support, helping clients limit scope, risk and costs.

The Value of Early Adoption

Since all organizations – vendors, assessors and CSPs alike — must adhere to the new standard by the end of 2014, Layered Tech felt it was important to achieve early certification. As our clients begin to recertify for their own business, we can now safely manage their controls and leave no gaps between their compliance efforts and our own. Layered Tech has always been on the leading edge of PCI DSS certification, and we continue to support the needs of our clients by staying ahead of the curve.

About the Author: Dennis Pickard holds CIA & CISA certifications and is the IT Audit Lead in the Compliance and Security Group of Layered Tech. He has more than 20 years of experience in compliance and technology audits, primarily in the Financial Services industry. Throughout his professional career, he has directed and performed numerous HIPAA security and privacy analysis activities.

 

How to Ensure a Smooth Data Center Migration

We know that the word “migration” is enough to make most IT professionals lose sleep, and for good reason. Moving production data and applications to a new data center can be an undertaking, but it doesn’t have to be a nightmare. Properly managing a data  and application migration begins with a plan and understanding the needs of your business.

There are two types of data migrations: forced migrations and planned migrations. Obviously, a planned data migration offers more opportunity to strategize your move around hardware lifecycles, development timelines and the needs of your business. Forced, emergency migrations are certainly not as easy, but they can be managed easily if you and your IT staff and resources take the proper steps beforehand to ensure a smooth transition. Here are a few tips to truly prepare for data migration.

Continue reading ‘How to Ensure a Smooth Data Center Migration’

Visit Layered Tech at HIMSS14

On September 23, 2013 the HIPAA Omnibus Rule went into effect. This rule provides further clarification to a complex set of requirements. It also defines some potentially catastrophic penalties associated with a Protected Health Information (PHI) or Electronic Protected Health Information (ePHI) breach.

Whether your company is a Business Associate, or a Covered Entity, the HIPAA Omnibus Rule has a significant impact on the policies and security measures in place for your hosting environments.

Continue reading ‘Visit Layered Tech at HIMSS14′

Q4 Update From Layered Tech CEO Jack Finlayson

I’m excited to update you on the progress and status of Layered Technologies (LT) Inc. as we begin the fourth quarter of 2013.

Continue reading ‘Q4 Update From Layered Tech CEO Jack Finlayson’

Should You Care About Application Performance Management?

Every customer running revenue-critical business applications should consider adding application performance monitoring and management.  For this reason, we have taken our experience deploying application performance monitoring tools for our customers and released a standard managed solution.  Our new Application Performance Management (APM) service, powered by AppDynamics, offers a “managed with” model in which we integrate APM with our customers’ managed hosting and cloud service. We handle the deployment, configuration, monitoring and assist clients with utilizing the APM solution.

Continue reading ‘Should You Care About Application Performance Management?’

E-Pay Innovator Drives Mobile Commerce in Developing Countries

It was a pleasure to serve as a judge for the e-Pay Innovation award at the recent ETA Expo in New Orleans, LA.  The winner of the $10,000 award was Trak for developing technology aimed at moving Brazil’s population from a paper payment system to a more efficient electronic format.

The ETA Technology Committee oversaw the event, which was part of the 2013 Annual Event and Expo in New Orleans. The Bill and Melinda Gates Foundation provided funding for the winner of the e-Pay Innovation Award and offered scholarships for several startup companies to exhibit in the Payments Next Zone section of the Expo.
Continue reading ‘E-Pay Innovator Drives Mobile Commerce in Developing Countries’

Layered Tech Gets Fit During Kansas City Corporate Challenge

Kansas City Corporate ChallengeAs the world’s largest sports organization, Special Olympics looks to transform lives through the joy of sport, every day and everywhere. In support of Special Olympics’ mission, Layered Tech’s Kansas City office is thrilled to be competing in and volunteering for the 2012 Kansas City Corporate Challenge, April 27-June 30.

Continue reading ‘Layered Tech Gets Fit During Kansas City Corporate Challenge’

Layered Tech Sponsors Southwest’s First Multi-platform Web Conference

Layered Tech is proud to be a sponsor of OpenCamp, the Southwest’s first multi-platform Web conference.  Created by the same people who started WordCamp Dallas and DrupalCamp Dallas, OpenCamp takes place Friday, Aug. 27 through Sunday, Aug. 29 at the Addison Crown Plaza Hotel, located at 14315 Midway Road, Addison, TX 75001.

Continue reading ‘Layered Tech Sponsors Southwest’s First Multi-platform Web Conference’

Layered Tech Delivers Global, Scalable Cloud Infrastructure for Customer Service Management Provider

When was the last time you dialed an 800-number for customer support or chatted with an online support rep about a product or service you’re using?  As I type this post, call center agents for major corporations are handling tens of thousands of calls, e-mails and chat sessions.  That’s a lot of customer interactions at any given time, and each customer engagement is important and must be treated personally.  Some of the world’s largest brands, including Priceline.com and eBay, rely on customer service solution provider KANA Software to better manage their ever-increasing customer interactions.  Ballooning customer interaction volumes put pressure on IT infrastructures, which is what drove KANA to re-evaluate the infrastructure it had in place.

Continue reading ‘Layered Tech Delivers Global, Scalable Cloud Infrastructure for Customer Service Management Provider’

Layered Tech Proudly Powers JDA Software Group, Inc: The Supply Chain Company®

When it comes to supply chain solutions, JDA Software Group, Inc. is no doubt the “Big Kahuna.”  More than 6,000 enterprises worldwide rely on JDA to optimize their supply chain and improve profitability.  In addition to its international presence, JDA’s solutions span numerous industries, including manufacturing, wholesale distribution, transportation, retail, grocery, travel, hospitality and media.

Continue reading ‘Layered Tech Proudly Powers JDA Software Group, Inc: The Supply Chain Company®’