As a developer, when an Incident comes in and reaches Tier 3 support (The development team), how can the developers get access to query the Production Database, while remaining PCI Compliant? I’m admittedly a newbie when it comes to PCI Compliance. Is this just a case of Read-Only accounts? Is this a case of data masking? Is this a case of having a Production copy within Production so devs can’t hit a "Live" db? What’s the easiest, and compliant way for developers to be able to perform application incident support in production?
as the title says – Does Apache Tomcat 9 meet the PCI compliance? From where I should start reading and gather some information about that topic? Thank you in advance for your answers.
I’m working on a web page that sends statistical data to providers, hosted in Azure. It will only be accessible to users we give permission to. While the page is functionally complete, it will contain PHI. I’ve been researching and implementing the requirements to make it HIPAA compliant, listed below. Are there any other items to make the list more complete?
- Stored data encrypted
- Backup data encrypted
- Automatic backups, never lost, recovered at any time
- Data transmitted to site is encrypted
- Website accessible only to authorized persons
- Unique permissions that can be audited
- The web site can be permanently deleted
- Information no longer needed must be permanently disposed
- BAA agreement with Microsoft
- Data breach protocol documentation
- SSL encryption
- Regular password changes
- Security logs
- Appointed HIPAA compliance officer
- Published HIPAA policy on site
- All web forms are secure
- Page not tampered with or altered
We’re also looking for a security consultant to verify everything is locked down. Are there any suggestions on companies to contact? After some research, the two that kept popping up are https://compliancy-group.com/ and https://www.hipaasecurenow.com/. Any insight into consultants would be appreciated, thanks!
As a compliance-driven organization, we are positioned to understand and address the intricacies of trade regulations and agreements at the global, regional, national and local levels.
I have a situation where an application has to encrypt/decrypt some credit card data, each encryption key (it could be symmetric or private asymmetric) has to be in two separate places, managed by different people. One person cannot have access to any part of the key and the ciphertext it decodes at once. The application is a Windows service, it will have to have access to the whole key and the ciphertext in order to work on/process the decrypted data.
How can I make sure the server administrator (we use VMs) does not have access to both the key and ciphertext, but since it’s an admin account it will have full control over the VM (and thus the service)?
I received a question as follows: Does the vendor solution need to have the ISO 27001 certification for the application itself, or just for the hosting of the platform?
In my understanding, ISO 27001 cert concerns companies/vendors and includes both solution and the hosting platform. Are they separable? In the case of SAAS solution, can I have the platform certified and the app not?
Let’s say there is a company (name: X) which is PCI certified and compliant as a merchant. In terms of PCI compliance, what does company X has to consider while working with third parties? E.g. for a business reason company X needs to forward hashed PAN numbers to a third-party provider (name: Y). What does company X have to do in order not to violate PCI compliance? Is there a document I can read from?
My company ships very large, very heavy products to the homes of everyday consumers (think big home renovation materials). Currently, we provide the customer’s name, shipping address, and phone number to the factory. The factory then provides that information to a freight company who will then provides it to a final-mile delivery company.
The final-mile delivery company wants us to provide the customer’s email address so they can improve the delivery time frame. Customers are significantly more likely to respond to an email than they are to a phone call. Text messaging isn’t, apparently, effective enough either, because there are still land lines in play.
We ship only to the continental United States, so we don’t fall immediately under the GDPR umbrella, but my concern is that providing this email address to other businesses in our manufacturing and delivery pipeline will have PCI compliance consequences.
It would be simple if I could just add a disclaimer into our Terms and Conditions that explains that we will give the customer’s email address to other entities for the purposes of shipping and delivery, but that information won’t be used for marketing purposes, but I’m afraid that there are implications I’m not considering.
Can anyone provide any insights about how I should approach this problem?
My company just hired a team in India for development work. They will have full access to our network via VPN. They will not have access to client data directly. My question is…
Are we required to follow the same controls for offshore contractors as we are for fulltime employees? ie… background checks, NDAs, Policy Approvals, Security Awareness.