Ensuring PCI and regulatory compliance

SSAE-16, AT 101 SOC 2 Compliance

On June 15th, 2011 SSAE-16 replaced SAS 70 as the standard for auditing of controls in service organizations, relevant to internal financial controls. Many Black Lotus customers have a need for SSAE-16 compliance which requires organizations to verify the controls of their vendors. Contrary to popular opinion, “SSAE-16 Certification” does not exist. Instead, organizations which must report on internal financial controls must obtain a SOC 1 report. One key difference between SSAE-16 and SAS 70 is that SAS 70 was an auditing standard where SSAE-16 is an attestation standard which provides a higher degree of assurance. In lay terms, this means that the SOC 1 report must be issued by a CPA who is attesting to the accuracy and reliability of the data found in the audit.

The AICPA, the organization responsible for SSAE-16, requires organizations which must prove SSAE-16 compliance, to obtain a SOC 2 report from any other organization providing services “relevant to security, availability, processing integrity, confidentiality, or privacy” which is a report under the standards of AT section 101 or simply AT 101.

SOC 1 and SOC 2 reports are restricted use. This means that organizations may not freely distribute these reports under rules set forth by the AICPA. Service organizations providing services not relevant to internal financial reporting, such as Black Lotus, would only be eligible to provide a SOC 3 report which is merely a website seal like the ones offered by WebTrust .

In order to ensure full compliance with SSAE-16 and AT 101, Black Lotus employs Certified Information Systems Auditors (CISA) who are members of the Information Systems Audit and Control Association. Furthermore, Black Lotus submits to attestation engagements ordered by customers who require SOC 1 reports under SSAE-16. This attestation must be conducted by an external and unbiased Certified Public Accountant (CPA). This CPA is prohibited by the AICPA from having any substantive relationship with Black Lotus or Black Lotus customers and any advisory or remediation work must be engaged through a different firm in order for the CPA conducting the audit and attestation to retain full independence.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a security standard maintained by the PCI Security Standards Council to ensure the security of cardholder data in the credit card and debit card industry. Many Black Lotus customers are concerned about maintaining PCI DSS compliance, and rightfully so, given the aggregated risk of reputation, operational, financial, and regulatory compliance loss that is inherent to the card holder data environment. In fact, over 14,000,000 merchants are required to maintain PCI DSS compliance by Visa, MasterCard, and American Express alone. Compliance with PCI DSS falls into the scope of 6 control objectives:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain and Information Security Policy

In order to achieve these control objectives, organizations which fall under the scope of PCI DSS must:

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software on all systems commonly affected by malware
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security

Black Lotus maintains full compliance with all PCI DSS requirements. Additionally, all Black Lotus products and services are in full compliance to include DDoS mitigation proxies, GRE tunnels when used with encryption, dedicated servers, and cloud servers.

It is crucial to understand that no provider can become PCI DSS certified on your behalf. Each merchant subject to PCI DSS must obtain an assessment from a Qualified Security Assessor . Similar to SSAE-16, Black Lotus will submit to an external audit ordered by an independent QSA engaged by a Black Lotus customer.

Additional Compliance Standards

The strict standards for regulatory compliance at Black Lotus are not limited to SSAE-16 and PCI DSS. Black Lotus offers solutions to ensure compliance with the following standards:

  • SOX – U.S. Sarbanes-Oxley Act of 2002
  • GBLA – U.S. Gramm-Leach-Bliley Act of 2002
  • Basel III – Basel Accord Standard III
  • FFIEC – U.S. Federal Financial Institutions Examination Council
  • HIPAA – U.S. Health Insurance Portability Act of 1996
  • FISMA – U.S. Federal Information Security and Management Act of 2002
  • SCADA – U.S. Supervisory Control and Data Acquisition