For each area of concern with sensitive data, there are published guidelines to follow in order to achieve compliance. Reading and digesting the guidelines in whole can be a difficult task. There are decision making tools, technical requirement write-ups, security policies, and security procedures to pour through. So, without getting into the nitty gritty, we want to answer some of the frequently asked questions that come our way.
“How can I securely accept credit card info over email?”
This just isn’t possible. Even if your email system is encrypted and considered secure, you have no control over how that information is handled on your customers’ email systems and all of the technology between.
“Do I need to be PCI compliant if I don’t use a computer to process credit cards?”
Yes. PCI compliance doesn’t require a connection to the Internet or even a computer system. PCI compliance is determined by the way that you store, handle, or process credit card information whether the card information is in a locked filing cabinet or on the computer.
“Do we need to worry about this if only one of our computers processes credit cards?”
Unless the computer that processes credit cards is completely isolated on its own network, your entire network needs to be PCI compliant.
“Who enforces PCI compliance?”
Generally speaking, your merchant bank enforces PCI DSS compliance.
“I was told I couldn’t scan to email because it’s not compliant.”
You may be able to. Compliant scanning requires a compatible copier, a secured connection directly to your mail server, and properly configured Data Loss Prevention policies that prevent forwarding and force encryption. We can work with you to ensure everything gets set up correctly and your mail clients are compatible.
“What do I need to do to keep my XP/2003/Vista systems compliant?”
At this point replacing or upgrading them are the only options. This is because security updates are no longer available for these machines. This leaves a security hole in your network and breaks your compliance. Furthermore, Windows 7 computers will be in the same boat soon, so it would be a good idea to start making plans for upgrading any such computers once their support ends.
Do we still need an analog fax line, or can we go digital and meet HIPAA compliance?
You do not need an analog fax line; Efax and other vendors offer a HIPAA compliant product. We will work with you to find an appropriate solution that meets your needs.
Can you assist us through an audit?
Of course! We can help prepare you for, answer questions during, and implement the resulting recommendations of an audit.
Can you help us write our policies?
Yes, we can help provide templates and samples of very commonly required security policies.
If we still haven’t managed to cover some of your questions about compliance, please give us a call! We’re here to help you!
Your UniVista Team
*Celebrating 20 Years of Customer Satisfaction*