» 

Blog

Posts Categorized Under "COMPLIANCE"

8 Essential Resources to Help You Understand GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR) will be fully enforceable in the European Union (EU). This new regulation succeeds the Data Protection Directive, a two-decade old directive that’s languished in recent years due to the growth of available online information.

Once it’s officially required, the GDPR will apply to every member state of the EU and address the protection and movement of personal data. What does the EU consider personal data? According to this press release from the European Commission, it’s defined as “any information relating to an individual whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

Are you prepared for GDPR compliance? This regulation will change the way data is handled and threaten companies with strict consequences if they fail to cooperate, so it’s vitally important that European businesses—and even international businesses that handle the data of EU residents—are aware of what’s coming and address needs now to satisfy upcoming legal and customer requirements.

If you don’t have a clear grasp on what GDPR entails, don’t panic. This helpful list of resources will tell you everything you need to know.

 

1. A Primer on the GDPR: What You Need to Know [Article]

This quick seven-minute read from Proskauer, a privacy and cybersecurity practice group, covers basic information behind the what and why of the GDPR.

Why it’s helpful:

Not only does this article discuss why the Data Protection Directive needs to be replaced, it compares the two regulations and gives readers insight into the potential business implications that will follow the change, such as increased violation fines.

 

2. GDPR Compliance in 5 Minutes [Video]

Are you involved in marketing? Do you have marketers in your company? If you answer yes to either of these questions, check out this video from Gated Content for a summary of how the GDPR will affect marketing methods. Tips on making your web forms regulation compliant are also included at the end.

Why it’s helpful:

Marketers are especially poised to be affected by the GDPR, as they frequently handle personal data through the use of web forms and opt-in consent. This video deconstructs GDPR compliance for marketers into simple ideas and easy-to-understand graphics.

 

3. The EU General Data Protection Regulation Website

The EU General Data Protection Regulation website is a central space for GDPR education. Have a burning question about the GDPR? Check their FAQ, or follow their quick links to key regulation changes and a full regulation timeline.

Why it’s helpful:

Most resources on the internet cover the what, why, and when of the GDPR, but few tackle a FAQ quite as well as this website does. Learn about the difference between a regulation and a directive or read up on how the GDPR affects data breach policies. It’s all right here.

 

4. Preparing for EU GDPR [SlideShare]

If presentations are more your thing, this SlideShare from IT Governance in the UK is a great way to start learning about the GDPR. It’ll walk you through each article of the regulation, then leave you with nine steps you can take to meet GDPR compliance.

Why it’s helpful:

Each slide is packed with the knowledge you need to get a decent overview of the GDPR. We particularly love the explanations of what “natural person” (#7) and “personal data breach” (#9) mean. IT Governance also includes an hour-long video (#32) at the end, providing more context to the entire presentation if you need it.

 

5. EU GDPR: A Pocket Guide [Book]

Available in paperback and Kindle, this 56-page resource is promoted as “a clear, concise primer on the EU GDPR,” great for reading on your morning commute or over lunch hour.

Why it’s helpful:

If you need portable, pocket-sized information on the GDPR, we highly suggest this book. It covers the history of data protection, runs through a list of regulation terms and definitions, and describes what is expected of your organization during (and after) this important transition.

 

6. GDPR Simply Explained in 3 Minutes [Video]

Time is valuable. We know what it’s like to need information delivered quickly, without the additional fluff.

If you’re looking for something plain and concise, this video may be a beneficial resource in your arsenal. It explains the GDPR and its requirements in only 3 minutes, leaving you more time to focus on your business (and enjoy that morning cuppa).

Why it’s helpful:

If you’re a visual learner, this video’s strengths lie in its clean layout and helpful discussion on key regulation buzzwords. We also deeply appreciated its explanation of the GDPR requirements businesses must follow as soon as this regulation is enforced (May 2018).

 

7. 10 Ways to Prepare Your Organization for GDPR [Article]

Feel like you have a handle on the GDPR but aren’t sure what to do next? No problem. This article lists 10 ways you can prepare your company for GDPR compliance by May 2018.

Why it’s helpful:

Step-by-step instructions make it easy to plan ahead, and we love this resource because it does exactly that: give you the details you need to make informed decisions in your organization. Suggestions like “take a hard look at your current processes” and “educate your employees on updated consent requirements” help get you in the mindset of the new regulation—and bring you closer to full compliance.

 

GDPR Infographic8. What Does the GDPR Mean for Global Data Protection? [Infographic]

Infographics are great tools for education, and this one is no exception. In fact, all of all the resources we’ve shared, this is our favorite. It’s straight-forward and dressed with the information you need to move forward with GDPR compliance.

Why it’s helpful:

The chart is glued together with incredible statistics, a thorough timeline of the GDPR’s history, visual explanations of what this new regulation means for businesses that handle European data, and more. It’s easy to read and even easier to share, making it an authoritative resource to distribute across any organization.

 

 

 

Love resource lists? So do we! For information on another important area of business compliance, PCI DSS, check out our 7 essential resources on PCI DSS security.

Have a resource you’ve used that isn’t accounted for here? Share it with your fellow professionals by submitting it in a comment below.

 


Can HIPAA Certified Solutions Really Guarantee Compliance?

achieving HIPAA compliance

When searching for a new healthcare solution to meet your organization’s needs, it’s easy to see the labels “HIPAA Certified” or “HIPAA Compliant” and believe your bases are covered. After all, “HIPAA Certified” means the product or application follows HIPAA’s privacy rules and has everything in place to protect your health and patient information, right?

Unfortunately, no. While such a certification could be useful for organizations in the future, giving them peace of mind during the stressful process of shopping for new solutions, the U.S. Department of Health and Human Resources (HSS) “does not contemplate certification of HIPAA compliance, nor does it authorize any third party to provide an “official” certification,” reports this recent article from HealthData Management. This means businesses that tout their products as compliant or certified can do so—but can’t enforce the claim as legally true.

If you see a solution that’s labeled “HIPAA Certified,” you can still consider it as a viable option, just do so carefully. Businesses often use these terms as a simple way to say “we meet all of HIPAA’s rules and regulations in our given field, and we can help you take steps toward full compliance.” But they can’t guarantee their product will make you compliant, and ultimately the responsibility to become and remain compliant rests on you and your organization.

Rob Reinhardt, owner of Tame Your Practice, a company that provides consulting to mental health and wellness professionals, says this of “HIPAA Certified” solutions: “You cannot maintain HIPAA compliance by simply “only purchasing HIPAA compliant stuff.” Only Covered Entities and Business Associates can be compliant. They do so by following all of the requirements of HIPAA and HITECH, which are extensive.” Covered Entities are health care providers, like doctors and psychologists, health plans, like health insurance companies or government plans, or health care clearinghouses. Business Associates are people or businesses that help Covered Entities carry out their daily functions.

Are you shopping for a solution that will support your business processes and bring you one step closer to full HIPAA compliance? To make the search less painful, here are a couple tips we recommend following when vetting potential companies.

1. Read the Fine Print

When you come across a product that is labeled certified or compliant, read the fine print to see exactly what they’re offering you. Make sure they clearly list what they’ll do to help your organization achieve HIPAA compliance, and be wary of  any company that hides this information or won’t give it to you. We also recommend you think carefully before purchasing software from a business that’s been declared HIPAA compliant by a third party. Just because someone else says they’re compliant doesn’t mean they are.

2. Ask the Right Questions

Go into the conversation or demo with a list of questions you need answered. Here are a few we recommend to get you started:

  • Do you have a clear outline of how your product will help me become HIPAA compliant?
  • Do you have a HIPAA compliance checklist I can see?
  • How does the product encrypt sensitive data?
  • Can it run audit reports of data access and movement?
  • What level of expertise does your business have with HIPAA and HITECH?
  • Do you have a HIPAA specialist on staff that I could talk to?

In the end, finding a solution that matches your needs shouldn’t be difficult. It should be easy. Just remember: the right solution will help you in your journey to HIPAA compliance, not guarantee it. Only you can do that—by making sure your organization meets all HIPAA regulations.

Looking for a managed file transfer solution that can help your organization meet several key HIPAA and HITECH requirements via a managed, centralized, and auditable environment? Our solution, GoAnywhere MFT, may be right for you.

To learn more, download our white paper, How Managed File Transfer Addresses HIPAA Requirements for ePHI, or view our HIPAA and HITECH solutions brief.

 


Are You Ready for the 2018 PCI DSS Deadlines?

PCI DSS 2018 deadlines

Sometime last year you achieved total compliance with PCI DSS, the information security standard for all organizations that process credit or debit cards. That means your data is safe, the auditors will leave you alone, and you can kick back and relax, right?

Unfortunately, hackers don’t take breaks. Their methods are constantly evolving, making it essential that you are compliant with the latest security standards. Fortunately, PCI DSS is designed to ensure that you know exactly what to do to stay ahead of new threats. Staying PCI DSS compliant also lets you avoid hefty fines.  

The latest version of PCI DSS is version 3.2, which was announced in April 2016. Hopefully you’ve already seen the new rules and are taking steps to improve your security. You should be aware that some major PCI DSS compliance deadlines are approaching in 2018.

Although PCI DSS 3.1 technically expired in October 2016, all new requirements in version 3.2 will be considered best practices until 2018, when they’ll become mandatory. Here are some of the most important changes:

 

Multi-Factor Authentication (Best Practice Now, Mandatory February 2018)

PCI DSS version 3.1 called for two-factor authentication. Don’t worry about the name change to multi-factor authentication—it’s just to clarify that more than two types of authentication are possible. The more important update is that the requirement is expanded to include all individual non-console administrative access as well as all remote access to the cardholder environment (CDE).

That means that for any potential CDE access points, including through tools like your managed file transfer solution, you need to have multi-factor authentication either at the network or the system level.

 

TLS 1.1 or Above (Best Practice Now, Mandatory June 2018)

SSL and its immediate successor, TLS 1.0, are no longer considered strong encryption methods. Originally, the new PCI DSS requirement mandated that every organization migrate to TLS 1.1 and above (ideally TLS 1.2) by June 2016. This deadline was later pushed out to June 2018.

However, if you’re using SSL or early TLS, you should know that you’re not using current security best practices. We recommend that you move your file transfers to a stronger encryption method as soon as possible.

 

PCI DSS 3.2Get the Full Scoop

In order to help you fully understand the changes to PCI DSS 3.2, especially how they relate to managed file transfer, we’ve created a new whitepaper. Download it to learn:

  • Who needs to comply with PCI DSS 3.2
  • What has changed since version 3.1
  • How PCI DSS compliance affects your file transfer processes and solutions

Get the Whitepaper

 


FBI Issues Warning on FTP Servers

FBI warning for FTPThe FBI recently issued a Private Industry Notification to healthcare providers warning them of the dangers of unsecured FTP servers. According to the alert, the FBI is aware of criminal actors actively targeting FTP servers operating in “anonymous” mode, meaning a user can authenticate to the FTP server with a common username like “anonymous” or with a generic email address or password. The FBI notification cited a 2015 study from the University of Michigan that indicated over one million FTP servers were configured to allow anonymous access.

While the notification was intended for medical and dental facilities, inadequate FTP security is a concern across all industries. According to the FBI, “Any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals.”

The problems with FTP servers go beyond anonymous mode. For one thing, many organizations are running legacy FTP software that hasn’t been kept up-to-date with modern security concerns. Another widespread issue comes from granting excess permissions to trading partners or internal staff. Anyone given administrative access could change a setting on the server without realizing the potential security implications.

Hopefully it’s clear that you should be using encryption to protect your data. What some businesses fail to realize is that encryption methods vary greatly in strength based on factors like  key size and type of encryption ciphers used. Many of the older ciphers and protocols have been broken and are now obsolete. Finally, a major problem with legacy FTP servers is a lack of alerts if anything goes wrong and the lack of detailed logs to help you maintain compliance with industry regulations.

These common pitfalls can be addressed with a robust managed file transfer (MFT) solution. Managed file transfer offers a variety of strong, up-to-date protocols and encryption methods, allowing you to replace standard FTP with something more secure like SFTP or FTPS. Software with role-based security gives you the option to limit any user or user group to just the permissions they absolutely need, and detailed audit logs keep track of exactly which user took what action and when—essential information for your team and for auditors alike.

To learn more about how to secure an FTP server, watch the on-demand webinar, Top 10 Tips for Securing Your FTP or SFTP Server.

 


Take the PCI DSS Quiz, Win a Free Tablet!

With the looming 2018 compliance deadlines and the constant news of data breaches, PCI DSS is on the minds of IT and cybersecurity professionals around the world. For organizations that reached compliance within the last year, you may be surprised to know that only 29% of companies are compliant a year after validation.

As processes, partners, and staff shift within an organization, keeping track of the measures required to maintain compliance can be difficult. The first step in becoming or maintaining PCI DSS compliance is understanding the requirements, and how they apply to your organization.

How well do you understand the PCI DSS requirements? 

Find out by taking this fun, interactive quiz for the chance to win a free Google Pixel C. That’s right, one lucky winner will be selected at random to win a free tablet just for taking the quiz.

 

So what are you waiting for? Test your PCI DSS skills below.

 

 

 

 

 


Get the Guide: Achieving HIPAA Compliance with GoAnywhere MFT


Are your file transfers HIPAA compliant? Is your healthcare organization at risk for fines, or worse - a data breach of sensitive patient information? Many health IT teams meet these questions with unease.

Fortunately, GoAnywhere is here to help.

HIPAA (the Health Insurance Portability and Accountability Act) protects the confidentiality, integrity, and availability of electronic health information. For any IT professional working in the healthcare industry—or for a company that does business with healthcare organizations—HIPAA is a concern. Compliance is strictly enforced, with penalties including substantial fines and, in rare cases, even prison sentences.

HIPAA is dedicated to protecting patient health information, but cybersecurity is only a portion of what the law covers and HIPAA’s security standards were not written for an IT audience. Avoiding specific technical language means the law changes with the times and allows organizations to adopt new technologies that help them meet HIPAA requirements. This approach provides flexibility, but it also makes HIPAA compliance challenging—IT professionals have to translate HIPAA into IT terms to determine what steps they need to take to become compliant.

Patient care involves constantly exchanging and updating electronic records, making file transfers a potential area of security vulnerability. GoAnywhere MFT protects valuable personal data while simplifying HIPAA compliance.

We’ve put together a guide that demonstrates how GoAnywhere MFT addresses several key HIPAA requirements. For example, GoAnywhere prevents unauthorized access by authenticating users and passwords with a variety of techniques including database authentication, LDAP, and Active Directory. Audit trails are generated to document if unauthorized attempts are made to alter or delete documents.

 

Download the guide to learn more about how GoAnywhere makes HIPAA compliance easy.

 

 

 

 

 

 


Why Healthcare Organizations Need a Managed File Transfer Solution

Anmed health clinic

 

Last year was a scary year in healthcare cybersecurity. A hack of Banner Health breached up to 3.7 million records. Another data breach at 21st Century Oncology resulted in multiple lawsuits being filed against the organization. When a third party gained unauthorized access to computer systems at Valley Anesthesiology and Pain Consultants, almost 900 thousand patients, employees, and providers had to be notified. These are just a few examples of the biggest incidents in the news—smaller security failures are happening all the time.

Patient records are extremely sensitive, so healthcare organizations have to be especially vigilant about securing their data. Additionally, they need to be able to prove compliance with HIPAA. In an industry that involves constantly moving and updating patient records, maintaining security and compliance requires a robust method of protecting any transfer of data. That’s why no healthcare cybersecurity strategy is complete without a managed file transfer (MFT) solution.

Why Not Use a Basic File Transfer Tool?

Many EHR or network monitoring software already implemented within a healthcare organization include some secure file transfer capabilities, so it’s easy for IT professionals to ask: “Why not just stick with the basics?” While some of the add-on file transfer tools may protect sensitive data in transit, there are several crucial features that a complete managed file transfer solution can perform.

Supports varied platforms, protocols and encryptions: A good managed file transfer platform will support a variety of protocols, such as SFTP, FTPS, and HTTPS, and encryption standards like AES and Open PGP. It may be necessary to select different methods for each transfer based on your partner’s requirements.

Centralized system for organized monitoring and reporting: For many healthcare organizations, regular monitoring and reporting of file transfers is a requirement for compliance adherence. The ideal MFT solution provides a single tool capable of handling all your transfers out of one area, whether that be server-to-server batch file transfers, user-to-user ad-hoc file transfers and person-to-person file collaboration. A centralized area simplifies the ability to monitor and report all transfer activity.

Controls user access: HIPAA requires that organizations prevent unauthorized access to files. Of course, this can mean hackers with malicious intent, but you should also have protocols in place to protect data from internal actors. A 2015 study found that internal actors were responsible for 43% of data loss. That includes both intentional and accidental security failures.

MFT software with role-based security options can limit each user to the servers and the functions of managed file transfer that they absolutely need to use. Individual files and folders can be restricted to certain users or user groups. Since every user has a unique user ID, all their activity can be tracked—essential if you face an audit.

Facilitates HIPAA compliance: Modern IT environments and the volume of electronic records stored by healthcare organizations are far larger and more complex than what existed HIPAA was first enacted. Although many organizations got by with FTP-based tools or custom scripts in the past, the best way to meet HIPAA requirements today is with an easy-to-use, comprehensive managed file transfer platform.

In addition to providing the required security protocols and encryption, a good MFT tool will generate detailed audit trails and reporting of every file transfer, identifying the users, the recipients, and the file names transmitted. Just what an auditor needs to see.

Simplifies and automates transfers: Configuring each file transfer in a way that is secure, compliant, and meets the individual needs of each business partner is extremely time consuming. Too many manual steps in the transfer process can make a high volume of file transfers impossible to manage, not to mention error-prone. The automation capabilities of managed file transfer software can streamline data transfer processes and reduce the potential for mistakes.

Case in Point: 
AnMed Health Saves 500+ Hours of Manpower Each Month

Anmed health clinicWhen health system AnMed Health made the decision to replace outdated file transfer systems with GoAnywere MFT, their new ability to support SFTP and PGP encryption increased the number of vendors AnMed could perform simplified, and secured transfers with.

But that wasn’t the only benefit. Using managed file transfer eliminated the need for third-shift data center staffing and saved programming, operations, and network staff over 500 hours a month. How much money do you estimate that 500 hours a month could save your healthcare organization?

Another useful improvement was automatic notifications and greater visibility into the status of file transfers. Previously, the AnMed Health team often only found out about a problem when they received a call from a vendor.  A robust MFT solution will alert you if something goes wrong, allowing you to attack the issue without delay.

Ready to see for yourself? Schedule a demo of GoAnywhere MFT to see how easily your file transfer process can be secured, automated and centralized.


7 Essential Resources on PCI DSS Security

7 essential resources on PCI DSS compliance

Did you know that 80% of organizations are not compliant with PCI DSS requirements? That means, if you’re reading this, there’s a pretty good chance your company needs to make adjustments in order to ensure a fully compliant payment processing infrastructure.

PCI DSS compliance doesn’t happen overnight, and maintaining compliance year after year can be even more difficult. In fact, only 29% of companies surveyed were in compliance a year after validation. With these statistics in mind, we’ve compiled a collection of the best PCI DSS security and compliance resources.

Don’t see your favorite resource listed? Add to the list by commenting below.

 

PCI DSS compliance guide1. PCI DSS Quick Reference Guide [PDF]

This PDF guide provides a comprehensive overview of PCI DSS requirements, necessary security controls and processes, instructions on how to comply with PCI DSS and a list of trusted resources. Published by the PCI Security Standards Council, it’s authoritative and comprehensive.

Why we love it:
For anyone just beginning their research on PCI DSS, this guide is a great place to start. Keep in mind, the PCI Security Standards Council typically releases a new guide when the next version of requirements is confirmed. Check their website for the most up-to-date version.

 

hacking point of sale2. Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions [Book]

This book is a must-have guide for anyone responsible for securing credit and debit card transactions, and offers an inside look at how these systems can be hacked. To beat the enemy, you must know the enemy.

Why we love it:
In the last few years POS hacks have become more prevalent (Wendy’s, Cici’s Pizza and Eddie Bauer, for example). With a reader rating of 4.3 out of 5 stars, this book provides real and actionable solutions on how to achieve better security at the point of sale.

 

 

the hacker playbook3. The Hacker Playbook 2: Practical Guide To Penetration Testing [Book]

This resource goes above and beyond PCI DSS compliance to teach security professionals how to protect against hacking through the game of penetration hacking. Described by readers as a “no-fluff” “ultimate playbook”, this top-rated book made our list of recommended PCI DSS security resources for good reason.

Why we love it:
This step-by-step guide is top-rated, and takes a unique approach to preventative security, helping readers to better understand all the ways their infrastructure could be compromised.

 

 

 

 

PCI DSS validation requirements4. Validation Requirements [Infographic]

Are you a visual learner? Then this infographic is a great place to start when looking to understand PCI DSS validation requirements.

Why we love it:
The chart is straight-forward, allowing anyone to quickly understand which validation requirements their organization falls under.

 

 

 

reduce PCI DSS scope5. Reduce PCI DSS Scope [SlideShare]

Most PCI DSS compliant businesses are looking to minimize the cost and effort that comes with PCI DSS compliance. Fortunately, there are a few key ways at reducing the scope of PCI DSS, and this helpful SlideShare explains them.

Why we love it:
Reducing PCI DSS scope is a very important aspect of PCI DSS compliance, and can greatly help to reduce the costs dedicated to maintaining compliance. Beginning on slide 23, this SlideShare offers some great ways to reduce PCI DSS overhead.

 

 

 

 

PCI DSS compliance made easy6. PCI DSS Compliance Made Easy [Video]

In this 3 minute video, a small business owner explains how PCI DSS compliance affects him, his customers, and his business. He also explains the important risks of non-compliance.

Why we love it:
PCI DSS compliance applies to so many types of businesses, and the importance of these regulations can easily be missed by small business owners focusing on day-to-day operations. This video takes a personable, engaging approach to PCI DSS compliance.

 

 

how to give your PCI DSS compliance program a tune up7. Acquirers: How to Give Your PCI DSS Compliance Program a Tune Up [Infographic]

If you’re confident that your organization is already meeting PCI DSS compliance, this infographic is for you. Learn four ways you can give your PCI DSS compliance program a tune-up, to ensure on-going compliance in years to come.

Why we love it:
In a sea of resources on “what is PCI DSS” and the basics to becoming compliant, this infographic speaks to those organizations that have moved past that stage in their compliance.GoAnywhere PCI DSS Guide

 

 

Want more PCI DSS compliance resources? Check out our new guide on how GoAnywhere Managed File Transfer helps to make PCI DSS compliance easy. 

 

 


10 Shocking PCI DSS Compliance Statistics

If you work for any organization that processes credit or debit card information, you’ve heard of the Payment Card Industry Data Security Standard (PCI DSS), the regulatory standard aimed at preventing costly data breaches like the ones you may have heard about at Home Depot or TJX. But how much do you really know about PCI DSS compliance? Here are some interesting PCI DSS compliance statistics you may have missed.

 

1. PCI DSS compliance has increased by 167% since 2012

This is the best news on the list. According to Verizon’s latest PCI DSS Compliance Report, the number of organizations that are fully compliant at the time of interim assessment is growing rapidly each year.

 

PCI DSS statistics infographic2. 80% of organizations are still not compliant

While the increase in businesses taking PCI DSS compliance seriously is important, the number of compliant organizations was very low to begin with. According to Verizon’s report, four out of five companies still fail at interim assessment.

 

 

3. Only 26% of news media executives feel confident their businesses are compliant

Newscycle Solutions survey found that only a small number of executives felt confident they had achieved PCI DSS compliance. Another 13 percent were not certain. While this compliance statistic is a snapshot of a specific industry, it’s common across all types of organizations to feel unsure about meeting PCI DSS standards. IT infrastructure becomes more complex every day, PCI DSS rules change frequently, and many companies lack up-to-date expertise.

 

4. Only 29% of companies are compliant a year after validation

Many businesses check PCI DSS compliance off the list and then stop worrying about it. Unfortunately, less than a third have maintained compliance a year later. While successfully demonstrating PCI DSS compliance to an auditor is a big relief, it won’t keep your business safe from security threats. The Verizon report recommends building a robust framework with security policies, procedures, and testing mechanisms to ensure compliance every day of the year.  

 

5. You could pay $100,000 a month for being non-compliant…or much more

One of the least understood aspects of PCI DSS compliance is that the fines for non-compliance are levied on the payment processors or credit card companies (the acquirers) that work with the non-compliant business, not the business itself. Those fines range from $5,000 to $100,000 a month. Of course, the acquirer will recoup the money from you, quite likely with added penalties and increased transaction fees.

 

6. None of the companies breached during Verizon’s investigations were fully compliant

This statistic is just in case you thought that PCI DSS standards were only important for your auditors. In Verizon’s ten years of having a forensics team investigate PCI DSS compliance, they have never found a company that was fully PCI DSS compliant at the time it was breached. Take note.

 

7. 39% of organizations were breached through insecure remote access

A 2017 study from SecurityMetrics reported that in 2016, the largest single origin of compromise was through insecure remote access. PCI DSS regulations recognize remote access as a vulnerability, and instructs organizations to protect against breach via remote access by implementing “two-factor authentication for remote access to the network by employees, administrators, and third parties,” in requirement 8.3.

 

8. The average total cost of a data breach is $4 Million

According to the Ponemon Institute, which tracks the costs of data breaches every year, the current amount is up 29 percent since 2013. Refer to #6 for why this statistic directly relates to your PCI DSS compliance.

 

9. 69% of consumers would be less inclined to do business with a breached organization

According to Verizon, the majority of consumers would be hesitant to do business with an organization that has suffered a data breach. If you’re having trouble justifying the cost of robust security solutions, this is what you need to think about: being complacent about PCI DSS compliance today could lead to years of lost customers and a damaged reputation for your brand.

 

10. The average merchant, at the time of data compromise, wasn't compliant with at least 47% of PCI DSS requirements

Stemming from statistic number six, the 2017 SecurityMetrics study also found that the average breached merchant was not compliant with a significant percentage of PCI DSS requirements at the time of breach. The study supposes that this lack of compliance is attributed to a lack of trust in the effectiveness of these regulations, or a believe that PCI requirements are too technical or too costly to implement.

 

What's new in PCI DSS 3.2It’s clear that many organizations are struggling with PCI DSS compliance. It doesn’t have to be difficult. Seek out security software solutions that protect your valuable data using up-to-date methods, generate detailed logs to keep auditors happy, and allow you to easily test for PCI DSS compliance.

The next set of PCI DSS deadlines are coming in 2018. Is your business prepared? Read this whitepaper to learn what changes are necessary before the 2018 deadline.