PCI Compliance is Just One Part of Protecting Customer Data

Any company that accepts credit card payments is held to the standards of the Payment Card Industry Data Security Standard. If your company intends to accept card payment and store, process, and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider. There are a variety of ways this can be accomplished, so we will go through a few of them to give you a better idea of what needs to be done when protecting customer data.

By creating a secure network, you ensure customer data is safe and well hidden from prying eyes. Setting up a firewall configuration to protect cardholder data is the first step. Your hosting provider should have firewalls in place to create a secure, private network. Work with them to gain insight on the matter and create a firewall configuration policy. Also, although it may sound obvious, create your own unique passwords for the system. Going with the default password can be dangerous as these are easy to generate and created simply as a placeholder. Create your own password to make it that much harder for outside forces to get in.

Protect your stored data. This applies to companies that store their cardholder data. Encrypt the transmission of cardholder data across open, public networks. It may sound obvious, but this is important to about identity theft. Encrypted data is unreadable and unusable to an intruder without the property cryptographic keys. These keys are plaintext turned into ciphertext, which contains information unreadable to those without the cipher or the correct decryption algorithm.

Make sure that there are no weak spots to your system. Use and maintain anti-virus software to protect against the most recent malware. Malware and viruses are constantly being updated, so keeping ahead of the curve is the best way to keep all of your information protected. If your data is being hosted on outsourced servers, a managed server provider is responsible for maintaining a safe environment, which includes generating audit logs. Keep all of your systems secure and well maintained. Using an alert system, you should be able to keep up with newly discovered security vulnerabilities and fix them before they become a problem. The PCI compliant host provider should be monitoring and updating the system to accommodate any security vulnerabilities, and if not, they should be informed of any changes made so that the proper updates can be implemented.

There should also be strong access measures in place. Limit the amount of people that have access to the cardholder data to lessen the chances of a security breach. User accounts with access should follow the best methods to safekeep the data, which means password encryption, authorization, authentication, password updates every month or so, log-in time limits, and so on. Follow all of these and use common sense to make sure your customers are safe in your hands. Be the best they expect you to be.


Maintaining CJIS Compliance In Illinois - 5 Quick Steps For Local Governments

The Criminal Justice Information Services is essential to fighting crime and encompasses fingerprint data, criminal background checks, and other vital pieces of information for national security organizations. Compliance can be a challenge for businesses because it requires a bit of training, high end software, and carefully controlled access points. Here are a few steps you can take for maintaining CJIS compliance.

Implement Encryption

The cost of CJIS compliance is dependent on the size and scale of an organization or business. As such, every business needs to use encryption for a variety of purposes, such as protecting user access points, storing digital information, establishing access control mechanisms to restrict users, and transporting digital information. Small businesses need only work with the local police force to set up an on-site storage server and set up a few AP’s for officers to access data. Larger companies will need to work with the metropolitan police department or state police force since they will be storing much more information.

Training

There should always be a CJIS Systems Officer on staff to ensure everything is within standard compliance. They need to be trained on standards for personnel who have access to CJI in the agency, policies for hardware and software that transfers and stores CJI, and standards for outsources companies that have access to CJI.

Making CJI Data Available

Law enforcement has to balance security with ease of access, which can be difficult depending on the amount of information. Creating an AP at a secure location allows easy monitoring, but may make it tough for law enforcement to gain access quickly enough. Your business needs to weigh the pros and cons of AP placement and ensure there is a solid incident response plan in place should the worst happen.

Technology Fracturing

CJIS has specific security requirements but it is left up to the business to choose which systems they use. Ensure your information isn’t spread across a variety of different systems so that when disaster strikes, law enforcement is able to quickly and cleanly access the information they need.

CJIS Cloud

The National Data Exchange is a massive warehouse of data that law enforcement uses to track criminal records. Your own information from your business can be added to this storage space for ease of access, but make sure you check with the local police force to make sure this is advisable based on your line of work and information. This isn’t the only way to store information and there could be a cheaper solution based on what type of work you do.


Illinois Personal Information Protection Act - Compliance For Your Business

On May 6, 2016, Illinois expanded its definition of protected personal information, joining a number of states in a similar movement. A change this significant affects everyone currently managing a business or those trying to start one up. Compliance is as simple as setting everything up, but this article will explain everything that the Illinois Personal Information Protection Act changed so that you are better prepared to work with it.

Originally, the only personal information required was a first name or initial and last name in combination with a Social Security number, driver’s license number or state identification card number, or an account number or credit/debit card number or an account number with access code or password that would permit access to an individual’s financial account.

The new definition includes an individual’s first name or initial and last name in combination with medical information, health insurance information, or unique biometric data such as fingerprints or retina image. It also includes personal information like a user name or email address with a password. It also clarifies that if personal information is encrypted or redacted but the decryption keys or readable data elements have been acquired, then notification may be required.

Furthermore, under the new law, if notice is required and the breach of security involves an individual’s user name or email address, the notice should ask the user to “promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer.”

For companies that haven’t already done so, the law requires companies that deal with records that contain personal information about Illinois residents to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” The same applies to any person receiving said information.

Finally, the new law deems entities to comply with PIPA if those entities are “subject to and in compliance with” the Gramm-Leach-Bliley Act Safeguards Rule. Additionally, entities subject to and in compliance with the Privacy and Security Rules for the protection of electronic personal health information under the federal Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (HITECH) are deemed to comply with PIPA. But if an entity is required by HITECH to notify the U.S. Department of Health and Human Services (HHS) of a breach, the entity must also provide notification to the Illinois Attorney General within five business days of notifying HHS.

It’s quite a lot to take in, but following everything that has been laid out keeps you within the safety net of the law while also making sure your customers feel safe using your business. It may be a lot of paperwork, but their safety is your primary concern, so the end result is worth the effort.


1 Easy Way To Make Your Medical Practice HIPAA Compliant

HIPAA sets the standard for protection of sensitive patient data. The Health Insurance Portability and Accountability Act ensures that any company that deals with protected health information has all potential security measures in place and followed to the letter. This includes anyone you provide treatment, payment, and operations to in healthcare, called covered entities, to anyone with access to patient information and provides support in these fields, called business associates. There is one simple, sure fire way to ensure your business is HIPAA compliant; utilize TimbukTech.

HIPAA requires quite a lot to ensure that your datacenter is compliant. There must be physical safeguards in place to limit facility access and control. All companies HIPAA compliant must have polices about use and access to workstations and electronic media. This includes transferring, removing, disposing, and re-using electronic media and electronic protected health information. They need technical safeguards which require access control to allow only authorized users access to the protected data. This means unique user IDs, emergency access procedures, automatic log offs and encryption and decryption.

There need to be technical policies in place that cover integrity controls or measures put in place to ensure nothing has been tampered with or altered. There should also be network safeguards in place to make sure there are no unauthorized public access to your information. Private networks are the best method to ensure nobody sees information they shouldn’t.

Sounds like a lot, doesn’t it? If your business is just starting out, this can all be a bit overwhelming. You need to manage quite a few legal steps to make sure everything is running smoothly while also handling all this data. Even current practices may have trouble juggling all of this at the same time. It takes a lot of time and money to manage all of this alone. That’s where TimbukTech comes in. TimbukTech is the simple solution to all your HIPAA problems. They are certified to handle all of this information in a safe and timely manner. Private servers to store the information, around the clock security to ensure everything is where it should be, and specialists standing by should something go wrong. There are few places safer than with them. Plus, this is a far cheaper solution than doing everything yourself. You would need to hire specialists, create and manage your own storage network, keep track of all the files at the same time, while also trying to keep your business running smoothly. Why not just leave it in the hands of the professionals? They know what they’re doing and have the credentials and experience to back it up. Save yourself the pain and money and leave everything in their hands you won’t regret it.


A Low Cost Way To Get Technology Support In Your Medical Office

Managing a business is difficult, and doing so on a budget is even tougher. It can be a bit stressful as clients roll in and you realize that as much money as you make, it’s slowly rolling into the red month after month. You need a way, maybe two or three, to keep up productivity while saving money at the same time. Those of you still interested in the pitch, the magic word here is outsourcing.

For those of you new to the trade or that need a refresher course, outsourcing is a cost-effective method to help run your business by utilizing the skills of another company to manage a certain facet of your business, for instance, your technology support. You don’t have all the time in the day to worry about things running smoothly in the office and paying workers to do that could potentially be overkill eventually. If you are just starting up a business, you don’t have that kind of money. That is where outsourcing technology support comes into play.

The main difference-maker this method would be used for is lowering costs. On average, a company can save considerable operational costs with an outsourced individual or team. It is the same work done, at a fraction of the price, also allowing you to skip health insurance and vacation costs in the process. It is quality work at a much lower price. You also don’t have to worry about the expertise side of things. When hiring for a position, it’s sometimes tough to find people with the skillset and ability you need for the job. Outsourcing is a way to guarantee the work to be high quality and much less hassle. Outsourcing also gives you more room to breathe day to day. By handing off redundant or repetitive tasks to the outsourcing company, this opens up much more time spent on ventures to further your own business.

Outsourcing is a great way to put your mind at ease about a task as well. The risk associated with it is rolled onto the outsourced company, freeing you up to focus on other matters. Customer service is also rolled over to their side, which may seem like a risk, but you wouldn’t have picked this company if you didn’t trust them, right? Anything that goes wrong, they are liable for it and will take care of it, meaning that complaints are directed to them, as is all the work associated with them.

Outsourcing doesn’t sound all that bad now does it? It is basically hiring a group of workers at a fraction of the price to do a portion of the job you may normally have difficulty hiring for within the budget. Everyone likes saving money, so put your trust in a partner company and focus on making your business into the best it can be.