Blog / Cyber Security Compliance Requirements
An introduction to some common compliance standards.
Computer security is a complicated issue. Making sure important information is adequately protected is an easy statement to make. But “important” and “adequate” are subjective statements. This is part of the problem when trying to get guidance about how to secure your organization. Much of the advice you find is going to be subjective.
In order to remedy this, many governments, regulators, and service providers have set out specific, minimum standards for data security and compliance. By creating a single standard, much of the subjectivity surrounding security can be replaced by objective measures and specific guidance. For example, credit card companies and financial services stakeholders came together to produce the PCI-DSS standard, which stands for Payment Card Industry Data Security Standard and is a collection of standards that businesses must follow for the privilege to accept credit or debit cards as a form of payment.
When it comes to regulatory compliance, the first step is to ask yourself if the standards actually apply to you. Presuming you’re a business that accepts any form of plastic card as payment, then you’re obliged to meet PCI-DSS requirements (so, pretty much every business). However, if you don’t accept credit or debit, you’ve got nothing to worry about. That doesn’t mean you’re not still obligated to meet PIPEDA privacy standards, though. It can be difficult to know which regulations apply to you, so it’s always good to get advice from professionals as well.
Continuing on with our payment example though, let’s take a closer look at what PCI-DSS rules actually mean for you, which depends on a few things.
1) How many payments do you process annually?
PCI-DSS determines the size of your business by the number of card payments you process annually. The more you process, the bigger you are. It doesn’t matter about what your company is worth or how many people you employee. The bigger you are (by PCI-DSS standards), the tighter the rules.
2) What credit card payment methods do you offer?
This matters more than you might think at first. If you accept card payment with old-school mechanical imprints, there are specific rules you need to follow. If you accept card payments over the phone, there’s a different set of rules. And of course, most commonly these days, if you have electronic card readers, there’s yet another set of rules.
To put it simply, the legal requirements for accepting credit/debit cards as a means of payment are going to change depending on the size of you business and the payment methods you accept. It’s not exactly straightforward but the PCI-DSS standards website makes it pretty easy to find which rules impact you. Whatever those rules are, you are legally required to follow them. The consequences for not doing so are spelled out quite clearly.
PCI-DSS isn’t the only regulation out there that has mandatory compliance requirements. PIPA/PIPEDA are mandatory standards set out for personal data by the Alberta provincial government and Canadian federal government respectively. FOIP is similarly mandatory for some organizations in some jurisdictions. Which regulations you are required to conform to depends on what your are doing and where you are doing it, and ignorance of those requirements will not be a useful defense. It’s in your best interests to figure out which regulations you are subject to and then make real efforts to conform to them.
This week’s splash of Shakespeare comes from Measure for Measure, “Condemn the fault, and not the actor of it”.
If you have any questions about PCI-DSS or PIPA/PIPEDA, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.