PCI Council Releases PCI DSS 3.2.1: What You Need to Know

Learn what’s changed in the latest version of the PCI DSS.

PCI DSS version 3.2.1

The Payment Card Industry Security Standards Council (PCI SSC) recently announced the release of the PCI Data Security Standard version 3.2.1.

The Council previously released version 3.2 in April of 2016 to replace version 3.1, which brought with it some big changes, among which were new requirements for service providers and additional guidance about multi-factor authentication.

So what has changed between versions 3.2 and 3.2.1?

Changes to standard characterized as "clarifications" 

All of the changes in this latest version 3.2.1 are characterized by the PCI Council as clarification—as
opposed to additional guidance or actual changes in requirements. The intent of clarification from the PCI Council is to ensure that “concise wording in the standard portrays the desired intent of requirements.”

Many of the changes involve simply removing requirements’ effective dates which have passed or correcting minor punctuation and format issues. However, there are a few items of clarification regarding SSL/early TLS and multi-factor authentication that are worth noting:

  • “Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS” has been renamed “Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS for Card-Present POS POI terminal connections.” 

  • In Appendix A2, requirements A2.1 – A2.3 were updated to focus only on the allowance for POS POIs that are not susceptible to known exploits and their service provider termination points to continue using SSL/early TLS.

  • In “Appendix B: Compensating Controls,” Multi-factor authentication was removed from the compensating control example, as MFA is now required for all non-console administrative access. The use of one-time passwords (tokens) as an alternative potential control for this scenario was added.


Stay updated to maintain compliance 

While these changes are not likely to affect your day-to-day data security routines or require much extra time or money, it’s important to use the latest version of the PCI DSS to avoid misunderstandings and potential gaps in security.

You can read a full and detailed summary of changes between PCI DSS version 3.2 and 3.2.1 here.

If you need help with PCI compliance or would like to know more about PCI audits, contact us here.


How Much Does HIPAA Compliance Cost?

Realistic HIPAA security budgets vs. wishful thinking.

Jen Stone
MCSIS, CISSP, QSA
HIPAA compliance is rarely allocated the resources it requires. And this trend extends beyond just small organizations with limited security budgets. Lack of budget is a plague that affects risk and compliance officers at health organizations of all sizes. 



This post will give you the information you need to more accurately plan your HIPAA budget.

SEE ALSO: Five Things to Consider When Making a HIPAA Security Budget

What does the HHS think HIPAA compliance costs?

The HHS gave an interesting estimation (see Table 1) of how much HIPAA compliance might cost, shortly after they released the HIPAA Final Rule in 2013.

Per organization, they estimated:
  • $80 for an updated Notice of Privacy Practices
  • $763 for breach notification requirement updates
  • $84 for business associate agreement updates
  • $113 for security rule compliance
Grand total per organization: $1,040

This estimate is likely inaccurate, especially when considering the complexities of the Security Rule. When the Security Rule was added back in 2003, it included 75 new requirements and 254 points for organizations to validate to, most of which are quite technical.

The following is an example of a "validation point:"

164.308 – Acquire IT Systems and Services (1 requirement)
Based on the OCR audit protocol, here are the validation points:
  • Interview management to verify that Policy and Procedures exist (P&P)
  • Determine if the P&P are approved and updated on a periodic basis
  • Obtain and review the documented policy (what is required) and procedure (how we are supposed to accomplish the task)
    • Where are P&P stored? 
How is it disseminated to staff?
    • How do we document staff have read, understand and agree to abide by the policy?
  • Determine if the P&P are approved and updated on a periodic basis
In this one example you can see that this single requirement (1 of 75) has three core validation points (3 of 254) with several more minor validation points.

Looking at the math, and the HHS’ estimated $113 allotted to the security rule, that means only $4 is allowed per requirement. It would be a stretch for healthcare entities to accurately validate each new security point for only $4 worth of labor, technology, and implementation. That’s not even taking into account that you will likely need to add (or, at the very least, upgrade) hardware and applications.

Variables that affect HIPAA compliance cost

The cost of HIPAA compliance depends on your organization. Here are a few variables that will factor into the cost of your overall compliance.

  • Your organization type: Are you a hospital, business associate, HIE, healthcare clearinghouse, or another type of healthcare provider? Each will have varying amounts of protected health information (PHI) and risk levels.
  • Your organization size: Typically, the larger the organization, the more vulnerabilities it has. More workforce members, more programs, more processes, more computers, more PHI, and more departments add up to more HIPAA cost.
  • Your organization’s culture: If data security is one of upper management’s top priorities, you have probably already invested in a cybersecurity program. If management has been hesitant to dedicate budget to security, compliance with HIPAA will cost more because you will have more distance to make up.
  • Your organization’s environment: The type of medical devices, the brand of computers, the kind of firewalls, the model of backend servers, etc. can all affect HIPAA compliance cost. If cybersecurity was considered when purchasing, implementing and maintaining these devices, the costs to comply with HIPAA at this point will be lower. If security was not considered, costs to get in line with HIPAA will be greater.
  • Your organization’s dedicated HIPAA workforce: Without a dedicated HIPAA team, you might not know how far you are from closing the HIPAA gap. Even with a dedicated HIPAA team, organizations usually require outside assistance or consulting to help them meet HIPAA requirements.

The cost of a data breach

Costs related to a HIPAA program can seem daunting, but they are small in comparison with not protecting PHI. Here are a few data breach costs, fines, and penalties you may not have considered. 
  • HHS fines: up to $1.5 million/violation/year
  • FTC fines: $16,000/violation
  • Class action lawsuits: $1,000/record
  • State attorneys general: $150,000 – $6.8 million
  • Patient loss: 40%
  • Free credit monitoring for affected individuals: $10-$30/record
  • ID theft monitoring: $10-$30/record
  • Lawyer fees: $2,000+
  • Breach notification costs: $1,000+
  • Business associate changes: $5,000+
  • Technology repairs: $2,000+
SEE ALSO: How Much Does a Data Breach Cost Your Organization?

When you look at the high costs paid by organizations found in violation of HIPAA, it’s obvious the consequences are meant to penalize those who don’t adequately protect patient information.

So, how much does HIPAA compliance cost?
If you are a large provider, you’ll probably benefit most from an onsite HIPAA compliance audit. Security experts examine your organization for security risks, provide guidance as you remediate any problems, and consult on the implementation of any outstanding HIPAA requirements.

Your onsite auditor should work with you to complete both your HIPAA risk analysis and risk management plan. Learn the pros and cons of a HIPAA audit here.

If you don’t have the budget for an onsite audit, you’ll need to find a HIPAA expert to help you get through the risk analysis and risk management plan process. Look for an expert who offers technical support when you have questions. Experts will likely recommend you receive external vulnerability scans to find weaknesses in your systems, and hire penetration testers (ethical hackers) to test your system. If you haven’t already, you’ll likely need to purchase HIPAA policy templates and start your employee training.

Taking all the above into consideration, and remembering that this estimate depends on various factors at your organization, here’s how much HIPAA compliance might cost you:

If you are a small covered entity, HIPAA should cost:

  • Risk Analysis and Management Plan ~$2,000
  • Remediation ~ $1,000 - $8,000
  • Training and policy development ~ $1,000-2,000
Total: $4,000 - $12,000


If you are a medium/large covered entity, HIPAA should cost:

  • Onsite audit ~ $40,000+
  • Risk Analysis and Management Plan ~ $20,000+
  • Vulnerability scans ~ $800
  • Penetration testing ~ $5,000+
  • Remediation ~ Varies based on where entity stands in compliance and security
  • Training and policy development ~ $5,000+
Total: $50,000+, depending on the entity’s current environment

Jen Stone (MSCIS, CISSP, QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT. 




GDPR 101 Part 3: What Should I Do Now?

Three tips to get the ball rolling on your GDPR efforts. 

Gary Glover
SVP, Assessments
CISSP, CISA, QSA
This post wraps up the final installment in our 3-part GDPR 101 blog series. This series is based on our GDPR 101 Webinar and is meant to help frame your understanding of the GDPR, educate you on the terms and definitions you need to know, as well as give you practical tips to start your GDPR compliance journey.

If you are a merchant, or any organization that handles the personal data of European Union citizens, you will need to comply with the GDPR. Here are three ways you can make progress today towards your GDPR compliance.

1. Learn and understand 


The first step you should take is to educate yourself. Learn about the GDPR requirements and seek out reliable resources. The Information Commissioner’s Office in the UK has a website and blog dedicated to educating the public about this upcoming data security mandate.

Here are some more GDPR resources to get you started:



2. Assess and plan


In any kind of security effort, the first thing you’ll need to do is create a data-flow diagram. This will help you discover and clearly document where personal data flows. You’ll need to show where sensitive data comes in and out of systems, and how it moves inside the organization.

Determine the security controls you don’t yet have in place. There are worksheets available, like these checklists from the ICO office in the UK, to help you comply with GDPR. At this point, make a plan for how your organization will integrate and complete all the documentation that will be required.

If you already follow other data security standards, like the Payment Card Industry Data Security Standard (PCI DSS), you may find there is some crossover between the data security controls. It’s important to realize that just because you’re certified compliant with PCI DSS or have had a HIPAA audit, that doesn’t mean you’re GDPR compliant.

Even though there are crossovers between data security standards, GDPR has a much larger scope because it includes many types of information that fall under “personal data,” like names, addresses, and telephone numbers. However, if you only handle credit card data, your scope may remain similar to what it already is under the PCI DSS.

You can use online management tools like GDPR Defense to manage your GDPR compliance efforts, securely store documentation, and track important tasks.

3. Assign a DPO or similar position


You may or may not be legally required to appoint a Data Protection Officer (DPO), depending on your “core activities,” or the primary business activities of your organization. According to the UK’s ICO website, if your core activities consist of either of the following, you will be required to appoint a DPO:

  • Processing activities which require the regular and systematic monitoring of individuals on a large scale; or

  • Processing on a large scale of special category data, or data relating to criminal convictions and offenses.


So basically, if your core business activity is data processing on a large scale, or the processing of special or sensitive data, you will be required to have a DPO.

Even if you are not legally required to appoint a DPO, you should assign someone in your organization to serve as a GDPR officer. Assign one person to learn about, delegate, and oversee GDPR efforts at your organization.

WHITE PAPER: GDPR 101

Take steps sooner rather than later


The GDPR becomes enforceable on May 25, 2018. Take these 3 steps now to be as prepared as possible. Small actions now will help you avoid fines and penalties and better protect sensitive data at your organization. If your organization does experience a data breach involving EU citizens' personal data, you'll fare better in the aftermath if you have made a good faith effort to comply with mandates and laws.

SMB? GDPR Defense can help you organize and manage GDPR efforts.

Large Organization? Contact us for GDPR consulting.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

ETA TRANSACT 2018 Wrap Up


The quality of our connections made 2018 our best year yet. 

From our annual golf tournament on Monday to tasty drinks and good conversation on the show floor, TRANSACT 18 was a huge success.

Mix and Mingle with a QSA

Our theme for 2018, “Mix and Mingle with a QSA,” was complemented by our unique mixed soda bar featuring security-themed flavor options.

Attendees flowed through our booth to grab drinks and chat with QSAs about data security and PCI compliance. The most popular drink was the “Penetration Test,” with Dr. Pepper, coffee, coconut, and cream.


Matt Brown ready to demo our latest PCI compliance tools. 

Mixing and mingling with our QSAs.

PCI DSS Compliance Done Right.

Visitors standing in line for yummy sodas!
Bird's-eye view of SecurityMetrics' booth.

Data Breach Panel with Gary Glover


On Tuesday, our Senior VP of Assessments, Gary Glover (CISSP, CISA, QSA, PA-QSA), participated in the Data Breach Panel sponsored by Fortner. He and other panel members related that when organizations are breached, they are almost never PCI compliant. They also reported investigators see hundreds of compromises at small retailers which we never hear about on the news.

Gary specifically advised retailers to stop looking for an “easy button” to solve data breaches. Many merchants look for a piece of hardware or software to solve the problem. “But there isn’t,” he said during the panel. “Some of the solutions don’t cost much; it’s processes. It’s procedures. It’s figuring out who is really looking at your remote access. Who is really doing your internal scans? Who is really configuring your network to try and keep people out of certain zones? We’re still seeing all kinds of architecture mistakes.”

You can read more about the Data Breach Panel here.

Annual Golf Tournament at TPC Summerlin


The Las Vegas wind didn’t stop our golf teams from showing up on Monday. As part of the pre-conference roster, this annual tradition is the perfect time to get to know our partners and friends in the payments industry.

Our winners are as follows:
Start your engines. 

Closest to the Pin 
Front nine winner: Wally Mylnarksi

Back nine winner: Jerry Nelson

Longest Drive
Front nine winner: Marc Roberts
Back nine winner: Joe Benson

Golf Tournament Winners
1st: Wally Mlynarski, Ian Stuttard, Chris Taylor, Al Echamendi               
2nd: Don Kissock, Scott Kim, Daniel Shin, Shawn Dalton                               
3­­rd:  Mike Fox, Thad Sheffield, Eric Woodson                           


Golf team ready to win. 

Lining up the put.
Windy but beautiful day on the course.
A great put. 


We can’t wait to see everyone again next year!

If you weren’t able to visit with our QSAs or sales team or still have questions, please reach out to us anytime.

For information about PCI audits, HIPAA audits, or other data security services, please visit us here.

How Prepared are UK Businesses for GDPR?

Learn about the General Data Protection Regulation and how UK businesses are preparing.

The EU General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. This government mandate introduces tougher laws about processing and handling personal data of EU citizens, tightens the timeline for breach reporting, and protects numerous individual rights.

Some businesses in the UK have researched and made preparations for the GDPR. Other still do not know what the GDPR is. Fines for data breaches and non-compliance can range between 4% of a business’s annual global turnover (aka revenue) or €20 Million—whichever is greater.

There are two major parties when it comes to GDPR: Data Controllers and Data Processors. It’s important that organizations determine which group they belong to, so they can understand the scope of their responsibility. Data Controllers are entities or individuals that need to process personal data in order to do business. They determine the purposes for which and the manner in which the personal data is processed. Data Processors take and process personal data on behalf of the Controller.

SEE ALSO: GDPR FAQs 

We interviewed over 250 management and IT professionals in the United Kingdom about GDPR and their GDPR compliance efforts. This infographic is an analysis of their collected responses.

GDPR priority levels among UK businesses


While 44% of UK organizations we interviewed consider GDPR a high priority, 35% still do not know what GDPR is. What does this mean? Sometimes companies are simply busy or they don’t realize how significant the GDPR is to them. There could also be a lack of reliable education and resources.

For those companies that consider GDPR a high priority, there are few GDPR management tools on the market. But, using such a tool is a good way to stay organized and avoid fines down the road. Check out SecurityMetrics GDPR Defense for more tracking options.

How ready are UK businesses for GDPR?


With the May 25th implementation date looming near, organizations report varying levels of readiness. Nearly 50% of companies that we surveyed say they are 50% ready or less for GDPR.

If businesses already follow security standards like the PCI DSS or HIPAA, there may be some overlap in the security controls they already have in place. However, GDPR has a much larger scope and protects data subjects’ rights to a greater extent.

Download our GDPR 101 Webinar

Resource planning for GDPR


We asked businesses how they plan to meet GDPR requirements. Again, a large chunk of respondents report not knowing what GDPR is. For those with a plan, most expect to handle the requirements of GDPR themselves and only 17% will hire someone to help. 

It’s difficult to say yet exactly how much GDPR compliance will cost businesses. The true amount will depend on many factors, including company size, current security controls, the amount of data processed, and the handling methods.

We asked companies what they estimate to spend annually on GDPR compliance. Over half reported that they expect to spend less than $200 annually. Only 9% reported planning for $3000 or more.

Again, the appropriate budget for each company is dependent on many factors and will likely change as time goes on and businesses are more familiar with GDPR compliance. But as of a few weeks before implementation, it appears that companies plan to spend a very minimal fraction of their budget on GDPR compliance.

SEE ALSO: GDPR 101 Part 1 Blog, GDPR 101 Part 2 Blog

What we’ve learned about GDPR readiness in the UK


We found that 62% our respondents already work toward compliance with the PCI DSS. This can be seen as a strength or a weakness, depending on how a company handles its data security overall. While we mentioned that yes, there are overlaps between PCI and GDPR, the scope and breadth of each compliance mandate are different. GDPR applies to all personal data—also known as personally identifiable information (PII)—and its intent is to protect the privacy rights of individuals.

UK respondents were on average only 54% ready for GDPR implementation and 57% consider GDPR a medium-to-high priority. This means that there is still plenty to be done. The key is to find reliable resources and tools that provide a starting point and a map for the GDPR compliance journey.

SecurityMetrics GDPR Defense 

If you have questions about data security mandates or standards like GDPR, PCI DSS, or HIPAA, contact us here.