Those of you who know me know that I take compliance very seriously and that I work for a company that keeps security and compliance as core tenants of its business focus. I talk to customers daily about how compliance and security have to work together as part of a broader security program, and have run webinar series on what it means to be HIPAA and PCI compliant. We’ve discussed what we can learn from businesses that are compliant but not secure.I’ve spent a lot of time talking the compliance talk.
At Armor, we’ve also spent a lot of time walking the compliance walk. In Q4 2012, we were one of the first service providers to achieve the rigorous HITRUST Common Security Framework certification to demonstrate to our customers that we take HIPAA compliance seriously. And now I can share that Armor has successfully achieved its PCI 3.0 certification. Why is this important to you? Because, unless we roll up our sleeves, get our hands dirty and actually get complaint ourselves, how can we help you meet your compliance goals? By achieving these certifications, we can feel confident that our compliance ready offerings for healthcare or payments businesses are founded in fact, not just marketing hype.
I’ve said it before and I’ll say it again. There is no ‘easy button’ on compliance, and the new PCI 3.0 standards require a lot more of businesses like ours (and yours). The new standard has 107 new controls that extend across all 12 requirements and cover a range of practices that include defining provider responsibilities, managing credentials and vulnerabilities, detecting malware and more. These changes require both operational and technical changes and offer a roadmap to better security and smoother compliance, helping organizations better protect their data, their customers and their reputations. The era of 3.0 compliance means that businesses shift away from an annual checklist compliance mentality to adopting a business-as-usual culture of vigilance.
That last part – the culture of vigilance – aligns well with Armor. We live and breathe security and compliance, but we still had to work hard to and ensure that our people, processes and technology were up to snuff and working together. We had to define our cardholder data environment and validate its borders with intense pen-testing and data searches. We had to prepare our documentation and do a pre-assessment. We had to take all the steps that you are taking – or will take – to make sure that we can help you through your 2015 PCI 3.0 audits.
Like I’ve shared before – compliance does not equal security. Just because we’ve achieved this milestone doesn’t mean we can sit back on our laurels. We will keep working to protect our infrastructure from cyber threats that grow increasingly more sophisticated. By making compliance part of our broader security methodologies, we can secure the cloud, continue to meet our requirements and keep protecting our customers and their most sensitive applications and data.
You can also see the full press release on Armor achieving PCI DSS 3.0 certification early.