Enterprises of all sizes must ensure supplier, operational and regulatory (such as Sarbanes-Oxley and HIPAA) compliance in order to drive down risk. These requirements are complex and should be managed strategically.
PCI DSS Service Provider Level 1 Certification
PCI DSS (Payment Card Industry Data Security Standard) is a prescriptive data security standard that applies to any electronic application that is storing, processing, or transmitting credit/debit card data. The standard is maintained by the PCI Security Standards Council, and includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. These requirements are designed around six major principles:
|•||Build and Maintain a Secure Network|
|•||Protect Cardholder Data|
|•||Maintain a Vulnerability Management Program|
|•||Implement Strong Access Control Measures|
|•||Regularly Monitor and Test Networks|
|•||Maintain an Information Security Policy|
SAS 70 Type I and Type II
SAS 70 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) to evaluate the internal controls of a service provider. The Type I audit evaluates the service provider’s documented internal procedures and processes to ensure that they are sufficient to achieve the service provider’s control objectives. The Type II audit conducts a series of tests to ensure that the service provider is actually following those documented procedures and processes.
Salesforce.com AppExchange Service Provider Certification
Certification requires extensive annual audit on a yearly basis that evaluates the security profile provided by the on-demand environment, including operational processes, access controls, HR policies, and security incident response procedures. In addition, the environment undergoes an extensive network penetration test.
This certification is rare, reflecting a rigorous process.
U.S. Commerce Department Safe Harbor Certification
This certification signifies that the service provider employs policies and procedures that meet the privacy standards of the European Commission's Directive on Data Protection. The EU directive prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection.
MEcom is not subject to other regulatory requirements such as Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX). We could get that kind of coverage through a hosting service.