Trust Your Data with A PCI Compliant Company
We take data security very seriously. All recovered data and customer credit card information is handled in a manner consistent with PCI security standards.
Data security is our highest priority, and in addition to PCI Complience certification, we've received regular SSAE 16 Type II SOC 1 audits from independent auditing firms. These audits are further proof of the excellent data hosting and processing controls that we use to protect customer information and recovered data.
What Is PCI Compliance?
The Payment Card Industry Data Security Standard is a set of requirements for all businesses that handle, store and process credit card information. It provides guidelines that service businesses must follow to protect their customers' credit cards and to prevent fraudulent charges. It also provides guidelines for IT companies that handle stored credit card information on hard drives and other electronic media.
Any company that handles credit card information should comply with PCI security standards to minimize the risk of credit card fraud. PCI compliance is important in every industry, but it's particularly important for IT companies, as they often deal with large amounts of data--including encrypted and unencrypted credit card info that might be stored on hard drives or servers.
Data recovery companies deal with terabytes of data every day as they work to recover hard drives, servers and deleted files. PCI compliance is essential in preventing unauthorized access to this data.
Whether your recovered data contains billing information or not, a PCI-compliance offers the following advantages:
- Relevant, up-to-date security controls that prevent your data from unauthorized access.
- Established guidelines that prevent fraudulent charges and set up an efficient, standardized way of handling credit card fraud if it occurs.
- Security standards that protect your information during and after the data recovery process.
- Standards that ensure appropriate security during electronic transfers.
If you're specifically trying to recover data that contains your customers' credit card information, PCI compliance also ensures that the information is protected while it's stored with the recovery company. Your business can be held liable for lost credit card info under certain circumstances, so choosing a PCI-compliant recovery vendor protects your company and prevents mishandling or misuse of your data.
It's also important to realize that PCI compliance is compulsory, so data recovery companies that do not provide proof of compliance may be violating consumer protection and privacy laws.
How Companies Achieve PCI Compliance?
To comply with PCI security standards, service companies need to provide information about the controls that protect customer credit card information and keep careful documentation that shows that their controls are in place. Audits and attestations are used to ensure compliance.
PCI compliance can be difficult ot attain for data recovery companies due to the amount of information tha tis processed, transferred and recovered on a daily basis. Recovery providers must document the entire process, as recovered data can often contain sensitive information and access needs to be carefully controlled.
Keeping documentation ensures that:
- The employees will not be able to access, transmit or use credit card information accidentally or maliciously. This is handled through controls such as physical locks, security systems and authorization procedures.
- Recovered data that contains credit card information must be handled appropriately and securely with limited access. Data will be destroyed in an approved manner and will only be stored in a high-security network. The security requirements for data networks are clearly established in PCI guidelines, and while no security guidelines guarantee 100% protection, regular updates ensure an up-to-date approach.
- All electronically-transmitted credit card information is properly protected with high-level encryption, firewalls and other electronic security controls and those controls are documented. This also applies to recovered data that is transferred from the recovery company to the client.
In addition to documentation requirements, PCI guidelines require businesses to:
- Regularly monitor the networks that they use to store or use credit card information and test these networks at regular intervals. Tests are often carried out during audits and attestations.
- Detail "strong access control measures," which are the steps that a data recovery company takes to limit access to data. These might include physical and electronic security measures.
- Maintain an extremely secure network with appropriate firewalls and other security features.
- Find and manage potential security vulnerabilities. This means keeping computer security systems up to date, looking for loopholes and utilizing new methods of encryption along with other tools to protect data.
Data recovery companies should undergo security audits to ensure PCI compliance. These audits need to be performed by a qualified security assessor or QSA.
Additional audits may be necessary when recovering data for PCI-compliant companies such as ecommerce merchants, including SAS 70 or SAE 16 certifications. Secure Data Recovery Services has obtained these certifications and undergoes regular audits to protect our clients and to make it easy for our client to find the reports and certifications that they need to trust our engineers with their data.