NEW YORK, December 10, 2020 – E-Complish, a provider of custom payment processing solutions, has once again been certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS), as well as with standards contained in the Security Rule component of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). It has also been certified as compliant with SOC 2 criteria developed by the American Institute of CPAs (AICPA) to manage customer data based on five “trust service principles.”
E-Complish achieved the PCI-DSS recertification for the 12th consecutive year and remains fully adherent to DSS 3.2.1, the strictest, most all-encompassing version of PCI standards developed and enforced by the PCI-DSS Standards Council. The PCI-DSS comprises a series of fraud-thwarting measures merchants, payment processors, and credit card service providers must exercise to safeguard and ensure consumers’ credit card information security. All businesses that accept, handle, process, or store credit card information must comply with the measures. Still, the extent of required compliance varies by merchant level as categorized in the PCI DSS.
E-Complish is a designated Level 1 PCI-DSS 3.2.1 Service Provider—the highest of four merchant levels. Accordingly, it must, in order to be certified and recertified as PCI-compliant, undergo an assessment by a third-party Qualified Security Assessor (QSA) to evaluate whether and to what extent it meets requirements outlined in 12 sections of the PCI-DSS 3.2.1. More than 300 elements are included in these requirements, and the QSA must obtain several thousand pieces of evidence and inspection in conducting its assessment.
Similarly, recertification of E-Complish’s compliance with HIPAA results from successful completion of a security assessment by a third-party security firm. Applicable to all entities that handle patient’s protected electronic health information (ePHI), HIPAA encompasses physical, network, and process security standards. In keeping with the HIPAA Security Rule, these entities must implement administrative, physical, and technical safeguards to ensure the security of ePHI.
The HIPAA security assessment involved a comprehensive review of policies and procedures, network and data flow diagrams; physical and environmental security; disaster recovery backup processes; vulnerability management; penetration testing, system hardening standards, and other pertinent areas. The third-party firm also assessed patch management; access control; data storage, logging, auditing; security monitoring; and incident response.
Meanwhile, E-Complish’s SOC 2 certification was issued by outside auditors who assessed the extent to which the payment solutions provider complies with one or more of five trust principles based on systems and processes in place at the company. These trust principles include security (protection of system resources against unauthorized access), availability (accessibility of systems, products, or services as stipulated by contract or service level agreement), and processing integrity (offering complete, valid, accurate, timely, and authorized data processing). Two additional trust principles encompass preservation of data confidentiality (via encryption, network and application firewalls, and rigorous access controls) and privacy (the collection, use, retention, disclosure, and disposal of customers’ personal information in conformity with individual organizations’ privacy notice, as well as with criteria outlined in the AICPA’s generally accepted privacy principles.
Greg Gaines, E-Complish’s director of compliance and client support, said the payment processing company has long made adherence to the PCI-DSS and the HIPAA Security Rule—as well as diligence in remaining compliant with both standards—a top priority. SOC 2 compliance will be an equal priority going forward.
“We will continue with this approach indefinitely, as we are committed to ensuring the security of credit card information, ePHI, and, in fact, all data for our customers,” Gaines noted. “It is also our mission to help our customers do the same for their customers, clients, and patients.”
E-Complish CEO and Chief Security Officer Stephen Price agreed, adding that working with a certified PCI-, HIPAA-, and SOC-2 compliant payment processing company is the most effective practice businesses of all kinds can exercise to safeguard both privacy and integrity of their customers’ data and their reputations. “Merchants owe it to themselves—and to their customers—to do everything in their power on this front, especially in light of the ever-greater threat and risk of data breaches and compromise,” Price stated. “By certifying and recertifying our compliance with PCI-DSS and the standards laid out in the HIPAA Security Rule, and now by emphasizing SOC 2 compliance, we can play an instrumental role in delivering on this promise.”