Industry Insights: The Need for SOC 2, PCI DSS and HIPAA Standards for Driving Data Privacy, Security and Compliance

Industry Insights - cyber security

Data breaches, fraud and cybersecurity threats are soaring. One only needs to watch the news to understand how it’s affecting our lives, with the latest example being the Colonial Pipeline ransomware attack which lead to gas shortages in the southeast. Protecting customer data has never been more important.

No matter what lengths you go to in order to protect your customers’ data, your safeguards are only as strong as those of your business associates and vendors. When evaluating the security stance of your vendors and partners in communications, print/mail, email, SMS/text and payments, you should look for a key few certifications and attestations, namely SOC2 Type II, PCI DSS and HIPAA.

The value of third-party certification

Certifications and attestations awarded by independent auditors signify that a company’s systems, processes and governance are secure and compliant. Auditors put these companies through their paces every year. They test plans, policies, processes, people, facilities and tools to ensure they meet or exceed best practices on data privacy, security and compliance for communications and payments.

Look for these certifications and attestations:

SOC 2 Type II addresses data security and controls.

The American Institute of Certified Public Accountants set standards, known as Service Organization Controls, that are used to audit how companies handle personally identifiable customer data.

  • SOC 1 focuses on internal financial controls
  • SOC 2  is for companies hosting or processing information for clients, such as customer payments
  • Type I covers a vendor’s systems and whether they are designed to meet relevant trust principles
  • Type II details the operational effectiveness of those systems

SOC 2 Type II attests to the quality of controls that directly relate to security, availability, processing integrity, confidentiality, and privacy at a service organization. Nordis meets or exceeds these control standards, per the auditor.

PCI DSS focuses on protecting card payment data.

To protect cardholder information, the Payment Card Industry created the Data Security Standard (PCI DSS). PCI DSS is a complex and evolving set of technical and operational practices for merchants or service providers that store, process or transmit payment card transactions.

The PCI Security Standards Council is readying a major revision, PCI DSS v4.0, for January 2022.

Major card issuers and banks that process transactions expect companies to stay current with PCI DSS. Some states require compliance for organizations that handle credit card data. Noncompliance can mean fines and other penalties, especially following a data breach.

Although Nordis does not transmit card data, we hold PCI DSS Level 1 certification, the most stringent and required for companies that process 6 million card payments or more per year. Transactis, Nordis’ payments partner that is now owned by Mastercard and which supplies the payments engine for ExpressoPay®, is also Level 1 certified.

Level 1-compliant solutions undergo an annual onsite evaluation by a PCI Security Standards Council-approved Qualified Security Assessor to ensure they are following the proper procedures and best practices.

HIPAA addresses security of patient information.

The Health Insurance Portability and Accountability Act of 1996 required the federal government to create national standards to prevent sensitive patient information from being disclosed without the patient’s consent. The HIPAA Privacy Rule and HIPAA Security Rule delineate the requirements for handling protected health information (PHI) including electronic transmission.

The Security Rule sets a standard that companies perform periodic evaluations to make sure their security policies and procedures meet HIPAA requirements. Nordis uses an outside auditor for attestation.

As cyber criminals become bolder and more sophisticated, it’s critical to shore up security weak spots. Making sure your partners are vigilant and employing best practices for data privacy, security and compliance security should be a key part of your risk mitigation strategy.

To learn more, please contact us.