risks of not complying with sox and pci compliance
TRANSCRIPT
SOX and PCICompliances
RISKS OF NOT COMPLYING WITH
v
In order to protect confidential information that is held on cloud servers, compliance regulations are mandatory for any internet infrastructure that offers data storage solutions.
BACKGROUND
Cloud data is constantly at threat from hackers with malicious intent as well as from users who leak sensitive information by error.
Under these security standards, merchants who manage cardholder information qualify on the basis of processing between 20,000 e-commerce transactions and 1 million to 6 million other transactions. The laws under PCI stipulate that such merchants must have systems in place to ensure data protection, network security, monitoring and testing, access control, information security, and vulnerability management.
PCI Compliance
PCI compliance refers to full observance of security standards set for the Payment Card Industry, (PCI).
Prepaid, debit, and credit transactions via major brand card companies; MasterCard, Discovery, JLB, Visa, and American Express are regulation by a set of standards that are aimed and preventing i) fraud during card payment transactions and,ii) theft of cardholder information.
The PCI DSS (Data Security Standard) was enforced in 2006 at a time when there was a rapid entry of card payments in e-commerce and various other merchant transactions.It was found necessary for an independent body, named the PCI SSC (Security Standards Council), should manage the administration of the set security standards to businesses that hold information that is captured during processing of card payments.
Prepaid, debit, and credit transactions via major brand card companies; MasterCard, Discovery, JLB, Visa, and American Express are regulation by a set of standards that are aimed and preventing i) fraud during card payment transactions and,ii) theft of cardholder information.
PCI Compliance
PCI compliance refers to full observance of security standards set for the Payment Card Industry, (PCI).
PCI Compliance
Within the general PCI compliance requirements, companies that store card payment information must specifically:
- Enforce regular system security checks
- Enforce tracking and monitoring of access to stored data and network access
- Operate on a security policy for information security
- Develop secure platform for data and maintain high security levels
- Protect all stored information
- Develop and maintain an encryption system for cardholder data processing
- Protect cardholder data from businesses, only availing data when needed
- Implement A unique ID system for card access via each computer
- Protect cardholder data applications with regularly updated firewalls
- Only use original system generated passwords and not default vendor password
- Restrict physical access to cardholder information
- Use regularly updated anti0virus on all system
Risks and penalties of PCI non-complianceIn the event of data breach, PCI regulations allow for;
PCI Compliance
PCI compliance must be done on level basis as from Level 1-Level 4. Companies are assigned levels through a two step process of;
a) PCI scans conducted quarterly with results issued by an external, approved party
b) Annual self-assessment to determine risk levels for card payment transactions.
1. Fines of up to $500,000 to be levied on merchants independently by each of the credit card brand companies.
2. The fines are levied on escalation on basis of whether a merchant is found to be first time PCI non-compliant or multiple times non-compliant.
3. Level 1 merchants generally pay higher fines with penalty amounts reducing through to Level 4 merchants.
4. In addition to fines, non-compliance of PCI regulations risks a merchant;
5. Loss of customer trust6. Stricter compliance audits7. Loss of business8. Rejected credit card payments by merchant banks9. Customer lawsuits for breach of confidential
information.
2. Sony Pictures data hack in late 2014
ConsequencesBreach of employee information
Leaked social security numbers
Leaked payroll information for top management and other employees
Famous PCI non-compliance cases
1. Target’s credit card data breach in February 2014
ConsequencesRevenue/Profit loss on insurance compensation
Loss of customer confidence
Expenses on data breach investigation
Expenses on issuing replacement cards
https://www.pcicomplianceguide.org/pci-faqs-2/
https://www.pcisecuritystandards.org/
http://www.focusonpci.com/site/index.php/PCI-101/pci-noncompliant-consequences.html
Sources
Under this Act, compliance is mandatory not only for financial institutions but for technology companies whose role is primarily on storing, processing, and transmitting financial information on behalf of publicly traded companies.
SOX Compliance
The Sarbanes-Oxley Act, SOX is a set of laws that are specific to financial information protection for US, and non-US companies operating in the US public trade market.
Enacted in 2002, SOX regulations are intended to prevent fraudulent practices among financial and accounting companies while assuring investors and the general public of the safety of their investments.
Compliant companies must;
i. Adhere to annual internal audits to ascertain controls for transparent and accurate financial reporting
ii. Have in place control procedures to prevent corporate fraud
iii. Comply with SOX regulations during quarterly and annual financial reporting
iv. Retain traceable, original data that was used for each financial report
v. Document any data changes or revisions and retain revised data copies
vi. Document all software revisions as in the case of IT companies under SOX regulations
vii. All source data must be stored for a period not less than 5 years
SOX Compliance
All institutions that comply with SOX regulations must have an established financial accounting system through which all reports on any financial data must be generated. In addition, such institutions must provide clear and verifiable financial data that is used in generated financial reports.
IT companies that
store the financial
data are required to
retain all stored data
for a period that is
specified under the
SOX Act.
SOX Compliance
Jail term ranging from 10-30 years
Risks and penalties of SOX non-compliance
Company fine of up to $1,000,000 for intentional and unintentional non-complianceLoss of company reputation and customer trust
Major corporate financial scandals that prompted the enactment of SOX financial auditing controls for publicly traded companies include;
1. Enron-2001-Overquoted its earnings reports to investors
2. Global Crossing-2002-Reported inflated cash flows3. Qwest Communications-2002-Reported inflated
revenues4. Xerox-2001-Reported falsified financial data
Famous accounting/financial corporate scandals
http://www.sox-online.com/basics.html
http://www.sarbanes-oxley-101.com/sarbanes-oxley-faq.htm
http://www.lorandoslaw.com/FAQ/Sarbanes-Oxley.shtml
http://www.soxlaw.com/
Sources
http://www.healthinfolaw.org/article/fast-facts-family-educational-rights-and-privacy-act-ferpa
http://ferpa.utk.edu/questions.php
http://www.verizonenterprise.com/pcireport/2014/
http://www.fiercehealthit.com/story/phi-breaches-138-percent-2013/2014-02-05
http://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Documents/SOCWhitepaper.pdf
http://www.cpa2biz.com/Content/media/PRODUCER_CONTENT/Newsletters/Articles_2012/CPA/Jun/Easy123.jsp
https://www.novainfosec.com/2012/03/16/after-10-years-agencies-continue-to-fail-fisma/
http://www.guerilla-ciso.com/archives/150
http://www.slate.com/articles/technology/future_tense/2014/07/banned_website_awareness_day_why_schools_efforts_to_block_the_internet_are.html
Sources