All,
Is there any law enforced by regulatory bodies to encrypt
1.Credit Card info
2. SSN
I need some document on it, which I can use for my presentation to my
management. Any US Bill's text can also be usefull.
TIAThe following is a FAQ concerning the PCI and CISP standards for encrypting
CC numbers.
http://www.patownsend.com/VisaPCI-CISP.htm
Federal legislation such as SOX, HIPAA and GLBA also have regulations for
how such information is stored and how it can be shared with 3rd parties.
However, some of these regulations, such as SOX compliance, only apply to
publicly held companies.
"Kay" <CallDBA@.hotmail.com> wrote in message
news:OrmvCxc%23FHA.2608@.tk2msftngp13.phx.gbl...
> All,
> Is there any law enforced by regulatory bodies to encrypt
> 1.Credit Card info
> 2. SSN
> I need some document on it, which I can use for my presentation to my
> management. Any US Bill's text can also be usefull.
> TIA
>|||It can depend on what type of data it is. For example, if these are SSN in
medical records or health care claims, then HIPAA regulations would be in
effect. There can be other industry specific regulations such as banking,
etc. I don't know of any general encryption requirements in any law for the
storage of data.
Usually if there is a law, it requires the keeper of the data to protect
access to the data. Other laws such as HIPPA go a bit futher and require yo
u
to log who, what, where, when and how the data was accessed.
Hope that helps,
Joe
"Kay" wrote:
> All,
> Is there any law enforced by regulatory bodies to encrypt
> 1.Credit Card info
> 2. SSN
> I need some document on it, which I can use for my presentation to my
> management. Any US Bill's text can also be usefull.
> TIA
>
>|||Basically data is related to eLearning. So what Law says about this domain?
-Kay
"Joe from WI" <JoefromWI@.discussions.microsoft.com> wrote in message
news:2FF1EDD3-0070-4106-AD4E-3A43C591250F@.microsoft.com...
> It can depend on what type of data it is. For example, if these are SSN
> in
> medical records or health care claims, then HIPAA regulations would be in
> effect. There can be other industry specific regulations such as banking,
> etc. I don't know of any general encryption requirements in any law for
> the
> storage of data.
> Usually if there is a law, it requires the keeper of the data to protect
> access to the data. Other laws such as HIPPA go a bit futher and require
> you
> to log who, what, where, when and how the data was accessed.
> Hope that helps,
> Joe
> "Kay" wrote:
>|||Basically data is related to eLearning.
-Kay
"Joe from WI" <JoefromWI@.discussions.microsoft.com> wrote in message
news:2FF1EDD3-0070-4106-AD4E-3A43C591250F@.microsoft.com...
> It can depend on what type of data it is. For example, if these are SSN
> in
> medical records or health care claims, then HIPAA regulations would be in
> effect. There can be other industry specific regulations such as banking,
> etc. I don't know of any general encryption requirements in any law for
> the
> storage of data.
> Usually if there is a law, it requires the keeper of the data to protect
> access to the data. Other laws such as HIPPA go a bit futher and require
> you
> to log who, what, where, when and how the data was accessed.
> Hope that helps,
> Joe
> "Kay" wrote:
>|||Basically data is related to eLearning. So what Law says about this domain?
-Kay
"Joe from WI" <JoefromWI@.discussions.microsoft.com> wrote in message
news:2FF1EDD3-0070-4106-AD4E-3A43C591250F@.microsoft.com...
> It can depend on what type of data it is. For example, if these are SSN
> in
> medical records or health care claims, then HIPAA regulations would be in
> effect. There can be other industry specific regulations such as banking,
> etc. I don't know of any general encryption requirements in any law for
> the
> storage of data.
> Usually if there is a law, it requires the keeper of the data to protect
> access to the data. Other laws such as HIPPA go a bit futher and require
> you
> to log who, what, where, when and how the data was accessed.
> Hope that helps,
> Joe
> "Kay" wrote:
>|||I don't see how SSN and credit card numbers could be related to eLearning;
except perhaps in a peripheral way when the user pays for the service, but
that would be more related to eCommerce.
"Kay" <CallDBA@.hotmail.com> wrote in message
news:e$V2GUm%23FHA.1032@.TK2MSFTNGP09.phx.gbl...
> Basically data is related to eLearning. So what Law says about this
> domain?
> -Kay
> "Joe from WI" <JoefromWI@.discussions.microsoft.com> wrote in message
> news:2FF1EDD3-0070-4106-AD4E-3A43C591250F@.microsoft.com...
>
>|||Just like Jay, I don't see what SSN and CC have to do with eLearning.
If you are accepting credit cards for payments, you may be bound by your
credit card agreement. I don't know of any federal law relating to
eCommerce. Now, if you're a financial instition, credit card company, etc.,
that's a whole other story.
I suggest you contact the financial institution that services your merchant
account or the company that handles your credit card processing for specific
rules.
BTW, I coded an ecommerce site that used a third party credit card
processing company. All we stored in the database was the last four digits
of the cc number and the approval code. The secured web pages, cc
processing, etc. took place at the third party site.
If there is a law either now or in the future, it will undoubtly be like
HIPPA. You'll have to have comprehensive written procedures outlining how
you protect confidential information from access to the physical hardware
(how do you control who enters the computer room? do they have to swipe a
badge in and out? etc.), how you handle backup media? are tapes are stored i
n
a bank vault or secure location?, network security (each user has a separate
login with a strong password?), database security, table security, column
security, stored procedure execution rights, etc. Who can access the data,
how do they access the data, when do they access it (i.e. audit log of who
accesses cc, ssn, etc., when, how, for what purpose.) If you encrypt data,
how do you do it? Do you use keys? Where are the keys kept? How often do
you review internal procedures and training of personal?
An example is: User \\Wkstn1\JDoe ran stored procedure usp_Select_All_CC on
12/05/2005 at 1:45 PM at ip address 192.168.1.101 using application "Credit
Application".
Get the jist? Most laws require you to prove that you were taking
reasonable precautions to protect and safegaurd the data. Treat ssn, cc,
etc. like you would salary information. Would you want your salary in a
table that anyone could access on the server by running a simple query?
Probably not. Salary information is usually stored in a separate table,
sometimes in a separate database, and in larger companies often stored on a
separarte computer. Usually only authorized people are allowed to access
salary information and usually only for "approved" purposes or bonifide
business reasons--not just because they are curious about what someone is
making.
Hope that helps,
Joe
"Kay" wrote:
> Basically data is related to eLearning. So what Law says about this domain
?
> -Kay
> "Joe from WI" <JoefromWI@.discussions.microsoft.com> wrote in message
> news:2FF1EDD3-0070-4106-AD4E-3A43C591250F@.microsoft.com...
>
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment