Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS 3.0) was published in November 2013, and became effective on January 1, 2014. Companies compliant with PCI DSS 2.0 have until January 1, 2015 to comply with the new version of the standard. Given that looming deadline, we thought it was best to revisit the importance of doing your own reading and interpretation of the regulations and standards that apply to your specific organization. No matter how big of a pain that reading and interpretation may seem at the time.
Read 5 Steps to PCI Compliance
Morgan Hunter first addressed this topic in the post “HIPAA Reading Is Fundamental,” published in Jan 2013, just before modifications to the Health Insurance Portability and Accountability Act (HIPAA) took effect. The excerpts from that post that appear below can be reapplied directly to those challenged by PCI DSS 3.0, as we find ourselves on the eve of yet another compliance struggle.
The problem with summaries or interpretations is you’re relying on someone else’s opinion/summary/interpretation to run your business. Sometimes you can get away with that, but in the cases of federal law, where both compliance and non-compliance can cost you millions, you need to read and understand how the legislation applies specifically to your business. Why?
- Ignorance of the law is not an excuse.
- Not understanding the subtleties can mean you spend way too much time and money in one area, when your real risk/liability lies somewhere else.
Another important factor that cannot be assumed or generalized under any regulation, is the nature of your specific organization. There is no other company on the planet that is structured the same way as yours, or has the same partners or customers.
…because the mere existence of a relationship in-and-of-itself does not mean you are subject to the legislation…but it is the way you interact, logistically and contractually, and the specific data involved that determines your accountability under the law.
So, I’m going to say it and you’re not going to like it. If you are subject to HIPPA [Or PCI, Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA), or any other complex regulations], work with, contract with, serve, or have customers who are subject to HIPAA, you need to read and understand how this legislation applies to you. So, cozy up with the legislation and your corporate lawyer and ask yourself these three questions:
- Does my company possess, touch, handle, receive, transmit, or store protected health information?
- If so, to what extent is my company liable if something goes wrong?
- Does my company need to invest in compliance and remediation activities, and if so to what extent?
The next time that you have the opportunity to either read a particular piece of legislation yourself or rely on Joe Shmo’s summary, ask yourself: “If we miss something important (just on the off-chance of course) will Joe’s a$$ or mine be on the line?”
So whether you were preparing in 2013 to weather the changes to HIPAA, addressing the up-coming PCI DSS 3.0 update, or any other compliance issue for that matter – Do. Your. Own. Reading. This isn’t High School. Skip the CliffsNotes and do the legwork to ensure that your organization is compliant.
Check back with us next week to learn about Re-Thinking Security & Privacy Training.