Often companies think of compliance as an annoying imposition — something to grin and bear. And while achieving compliance is not always a cakewalk, the upside of doing so can be huge. Whether you are interested in starting a company, entering a new market, or winning new customers, achieving compliance can be a major business driver. Here’s why it’s beneficial to your bottom line to think about compliance in this way.
Two Compliance Regulations That Can Help Strengthen Your Business
As you may know, we are running a series on compliance in the cloud, focusing on two specific types of compliance: PCI DSS and HIPAA. Why these two? To start, Threat Stack customers and prospects ask us more questions about these two compliance regulations than any others.
PCI DSS compliance governs the way payment card data is processed, handled, and stored. It is required for merchants and all businesses that touch payment data in any way — and that’s a lot of businesses. HIPAA compliance applies to any organization that handles “protected health information” (PHI). While at first it might seem like HIPAA only applies to a small group of companies, the reality is that — especially as more and more of this data goes online — PHI is touched in some way by an extensive range of people from providers (doctors and hospitals) to insurers to vendors like cloud storage services, mobile and web applications, and more.
If you want to do business with anyone who handles payment card data and/or personal health information (which, again, is a lot of organizations), then you need to be PCI and/or HIPAA compliant.
Other types of compliance — like SOC 2 and SOX 404 — are important and may also apply to your organization depending on various factors, but PCI and HIPAA are the two most likely to affect your business development and operations efforts, so we will focus on them in this post and throughout the series.
HIPAA and the Cloud: All Aboard the Omnibus
HIPAA has been around since 1996, but recently its rules were updated to reflect changes in the way we work and how we store data. Most importantly for businesses that are not providers or insurers but still touch Personally Identifiable Information (PII) in some way is the Omnibus amendment to HIPAA, which was added in March 2013. The Omnibus amendment expanded the definition of those who must be HIPAA compliant to include not just primary handlers of PHI but also their “business associates.” Basically, if you want to do business with a primary handler, whether you offer backup services or are a mobile app developer, for example, odds are high that you need to be HIPAA compliant and sign a Business Associate Agreement.
While this does increase the burden on those who would like to do business with healthcare-related entities, it also means that there is a new opportunity out there for companies that become HIPAA compliant. Moreover, building the practices to become HIPAA compliant into your core security framework won’t just answer the business need, but will also improve your overall security stance.
For example, let’s say you are a big data company that wants to work with Blue Cross Blue Shield to help them do risk analysis more effectively. The bad news is that you, as the data company, first need to become HIPAA compliant. The good news is that, once you are compliant, you will be able to work with any healthcare-related company out there. It’s like being put on a white list for business.
As Computerworld put it, “If a [company] wants to make the necessary investments to ensure their infrastructure and practices are HIPAA-compliant, there is significant opportunity to court business from organizations that are governed by HIPAA.”
Your sales team should be cheering right about now.
PCI and the Cloud: Around the Internet in 288 Rules
PCI DSS stands for Payment Card Information Data Security Standards, and that pretty much says it all: PCI is designed to keep payment card information safe. As we mentioned, PCI applies to a wide range of businesses, including:
- Merchants (brick-and-mortar, ecomm, and mixed)
- Service providers (banks, credit card companies, communications service providers, etc.)
- Data storage companies (including cloud storage)
- Payment processors (like Square and Stripe)
- And many more
Essentially, PCI applies to anyone who collects payment card data, stores payment card data, or moves payment card data from one place to another.
As with HIPAA, there is good news and bad news here. We’ll start with the bad: If you plan to handle credit cards in any way, you need to be PCI compliant. The good news: If you are PCI compliant, it opens up a host of new business opportunities.
Now, as a company, being PCI compliant means you must be able to guarantee that any payment card data coming into and/or leaving your company is safe. PCI standards are complex (there are 288 in all), but the reality is you simply must become compliant in order to process any credit card-based transactions.
If you are a vendor — such as an mBaaS provider or a cloud storage provider — becoming PCI compliant may not be strictly necessary, but it can help you win business, because most companies that handle PCI don’t want to (or can’t afford to) build a safe cloud from the ground up. They don’t want to start from zero with compliance mandates like point-to-point encryption or cloud security. So any vendor who can do it for them — who can attest to their compliance with PCI DSS — will immediately rise to the top. Bottom line: as a vendor, it’s to your benefit to become PCI compliant, because you will be able to offer your customers the protections they need.
Is it Really Worth the Effort?
Let’s say your company provides backend services for insurance companies, and you’re thinking about expanding into the health insurance field. To do so, you’d need to become HIPAA compliant. You might be wondering, if you’re already handling personally identifiable information like insurance account numbers, social security numbers and more, whether your existing practices will suffice. If you find you do need to add HIPAA compliance to your practices, you may be wondering whether it’s worth the trouble of doing so.
If you aren’t a company in the healthcare space or a merchant for whom HIPAA or PCI compliance is a must, then you have the option of deciding whether to go after new markets that require compliance. And will likely find yourself wondering at this point whether it is worth the effort and expense of becoming compliant.
It’s a fair question, and the answer in many cases depends on some fairly straightforward math. First, you want to calculate how much it will cost to become compliant. This will likely include hiring a compliance expert as an employee or consultant, having a third-party audit performed, and purchasing software and other products that are required to meet compliance standards.
On the other side, you want to calculate how much business you could win if you became compliant. And, really, you might be looking at a market that has a massive upside. If you’re a new company, consider market potential. If you’re up-and-running, take a look at deals you’ve lost or that are currently stuck in the pipeline because you’re not compliant. For many companies, while the initial outlay can be steep, it’s well worth the avenues it opens up for sales.
A Final Word
The bottom line is that, for many companies, regardless of whether PCI DSS or HIPAA compliance is automatically required, it can be worth the effort of becoming compliant because of the many business opportunities that open up as a result. Do the math and figure out whether it makes sense for your company. And, if you need help covering the cloud security requirements that are involved with HIPAA and PCI, contact us today so we can show you how Threat Stack’s platform may be able to help.
If you have questions, tweet us @ThreatStack, or send an email to [email protected].
Posts in the Compliance Series