Logicworks Managed Hosting Solutions

Some of the most common questions we get at Logicworks relate to security and regulatory compliance. Here is a quick breakdown of how these issues can impact your business and the technical solutions necessary to satisfy each set of requirements.

What do CISP, SDA, and PCI stand for?

In 2001 Visa introduced the Cardholder Information Security Program (CISP). This standard applies to all Visa transactions whether in retail stores, on the phone, or over the Internet. Visa still retains the term CISP to refer to its internal set of security guidelines, so you may hear the term CISP used today. You may also hear the term SDA (Site Data Protection) which is MasterCard’s internal security standard. In 2006 Visa participated with MasterCard and American Express in a broader industry standard, the Payment Card Industry Data Security Standard (known as PCI or PCI DSS). Today if your site includes any credit card information, whether you accept, store, transmit, or process this data, PCI is the standard that you need to understand.

Build a custom solution for your company with one of Logicworks' sales engineers

How can I be sure my site is PCI compliant?

There are three main considerations. First, you need to choose a PCI compliant hosting provider. Logicworks and most top-tier vendors fall under this category, but you should always ask. Second, you need to sign up with an Approved PCI Scanning Vendor (ASV). Your scanning vendor will review the code on your site and detect vulnerabilities. Logicworks partners with Hackersafe.com to provide ASV services, but there are a number of other qualified companies as well. Third, you need to build an infrastructure that complies with PCI recommendations. Specifically you need a properly configured Firewall, an Intrusion Detection System (IDS), and if your site is accessible to the public you need to isolate the credit card data from the public data via a De-Militarized Zone (DMZ). At Logicworks we achieve these goals by using Cisco Adaptive Security Appliances (ASA) for Linux-based systems and Microsoft Internet Security and Acceleration (ISA) for Windows systems.

For complete information on PCI compliance, a list of all the ASV’s, and a copy of the PCI Self-Assessment Questionnaire, visit www.pcisecuritystandards.org. For further information on a PCI compliant hosted infrastructure at Logicworks, speak with one of our sales representatives.

HIPAA Compliance

HIPAA is an acronym for the Health Insurance Portability & Accountability Act of 1996. This is a set of standards established by the Department of Health and Human Services for the security and privacy of health-related data. If your site includes any confidential patient information, or involves any healthcare or insurance transactions, this type of content is considered Electronic Protected Health Information (EPHI) and should be handled according to HIPAA guidelines. Unlike PCI, there is no specific checklist for HIPAA-compliant systems. The full list of guidelines is available at www.cms.hhs.gov. The good news is that from a technical standpoint, many of the same approaches that we discussed for PCI compliance still apply. Establishing a properly configured Firewall and IDS system via Cisco ASA or Microsoft ISA – are accepted industry practices for HIPAA sites.

SAS-70 Type II Compliance

When hiring a service-oriented vendor for your company, you always need to check that the vendor is SAS-70 Type II compliant. This applies to various types of services, whether you are researching a hosting provider, an application service provider, a credit card processing vendor, or an insurance provider. SAS-70 refers to the Statement on Auditing Standards No. 70: Service Organizations. During a SAS-70 audit, a third-party has reviewed all the professional standards and internal controls used by the vendor. Look for a Type II report rather than a Type I report. A Type I report is self-certified and only assures that the standards have been documented, not followed, while a Type II report states that the standards are being met to a third-party auditor’s satisfaction over the course of the audit.

Conclusions

Regulatory compliance and the associated security guidelines can be a web of confusing acronyms and requirements, but a good vendor should be able to explain how these regulations apply to your business and how to accomplish a compliant solution within your budget. The engineers at Logicworks has been guiding our clients through these types of challenges for over fourteen years. If you are looking for a PCI or HIPAA compliant hosting environment, contact our sales department and we will be happy to discuss the specific needs of your business and make a recommendation.