19 Jan Why Security Certifications Are Worth the Effort to Achieve Them
Scott Stephens, President
If your company is outsourcing transactional business communications and payment services to a third-party provider, it is important to have a clear understanding of what security certifications are required to keep your data safe, why they are important and which ones are critical to your own industry. Today, there are security standards for protecting health information, handling transactional documents and storing, processing and transmitting credit card and ACH payments, including data security, authentication and non-repudiation of bills.
It is a good practice to learn about the security frameworks that address the unique requirements of your industry. For example, initially having HITRUST CSF (Common Security Framework) certification was very important for companies that wanted to handle protected health information. Today, the HITRUST CSF goes beyond addressing the rigorous HIPAA standards. It now addresses multiple security requirements in the single certification, including NIST, FedRAMP and the EU’s General Data Protection Regulation (GDPR). Additionally, the HITRUST Alliance has partnered with the AICPA (American Institute of Certified Public Accountants), which oversees SOC 2 attestations, to offer a joint reporting process that allows businesses to use the HITRUST CSF and CSF Assurance programs for SOC 2 reporting
For companies handling transactional communications in financial services, the AICPA’s SOC 2 is a framework designed to help companies demonstrate the security controls they use to protect customer data in the cloud. The criteria include controls that assure security, processing integrity, confidentiality and privacy of customer data. The successful completion of the SOC 2 audit exemplifies DATAMATX’s commitment to providing detailed information on the suitability of the operating effectiveness of the company’s internal controls as they relate to its SaaS system
If you are a company that accepts credit card payments, your outsourced provider should definitely maintain PCI certification. Overseen by the Payment Card Industry Security Standards Council (PCI SSC), PCI certification requires businesses to meet stringent requirements, including change management processes, continuous monitoring and maintaining seven critical security controls throughout the year.
Certification is a way to validate just how focused your third-party provider is on security, because most security certifications require strict guidelines that must be followed when it comes to proving the processes you have in place to implement risk management, contingency planning, technical safeguards and other security controls as part of the assessment process.
Continuing to achieve and maintain these certifications demonstrates our ability at DATAMATX to pass rigorous audits that incorporate a broad range of security requirements. It also ensures that we are engaging in a process of continuous improvement, looking for, and addressing, any gaps in our security programs. Nothing is overlooked in our efforts to maintain the highest level of security and compliance that keeps your business safe and, in turn, keeps your customers feeling confident in sharing their valuable data with you.