General Data Protection Regulation
The main points of compliance with GDPR are that operators must take the most active measures possible to protect their sensitive data, and that their customers have "the right to be forgotten".
LPS technology thoroughly covers these requirements through the infrastructure, leads flow, encryption methods, knowledge tools, and specific functions.
PCI DSS
The LPS solution is based on the PCI DSS best practices. PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
The PCI DSS specifies and elaborates on six major objectives:
- Access to system information and operations should be restricted and controlled.
- Cardholders should not have to provide information to businesses unless those businesses must know that information to protect themselves and effectively carry out a transaction.
- Every person who uses a computer in the system must be assigned a unique and confidential identification name or number.
- Cardholder data should be protected physically as well as electronically. Examples include the use of document shredders, avoidance of unnecessary paper document duplication, and locks and chains on trash cans and dumpsters to discourage criminals who would otherwise rummage through the trash.
- Networks must be constantly monitored and regularly tested.
- It is necessary to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date. For example, anti-virus and anti-spyware programs should be provided with the latest definitions and signatures. These programs should scan all exchanged data, all applications, all random-access memory (RAM) and all storage media frequently if not continuously. A formal information security policy must be defined, maintained, and followed at all times by all participating entities.
-
1. A secure network must be maintained in which transactions can be conducted.
This requirement involves the use of firewalls that are robust enough to be effective without causing undue inconvenience to cardholders or vendors. Specialized firewalls are available for wireless LANs, which are highly vulnerable to eavesdropping and attacks by malicious hackers. In addition, authentication data such as personal identification numbers (PINs) and passwords must not involve defaults supplied by the vendors. Customers should be able to conveniently and frequently change such data.
-
2. Cardholder information must be protected wherever it is stored.
Repositories with vital data such as dates of birth, mothers' maiden names, Social Security numbers, phone numbers and mailing addresses should be secure against hacking. When cardholder data is transmitted through public networks, that data must be encrypted in an effective way. Digital encryption is important in all forms of credit-card transactions, but particularly in e-commerce conducted on the Internet.
-
3. Systems should be protected against the activities of malicious hackers.
Systems must be protected by using frequently updated anti-virus software, anti-spyware programs, and other anti-malware solutions. All applications should be free of bugs and vulnerabilities that might open the door to exploits in which cardholder data could be stolen or altered. Patches offered by software and operating system (OS) vendors should be regularly installed to ensure the highest possible level of vulnerability management.
GDPR Playbook
GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost dearly.
GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost dearly. Here’s what every company that does business in Europe needs to know about GDPR:
What is GDPR?
General Data Protection Regulation, (GDPR), was adopted by the European parliament in April 2016, replacing an outdated directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, that standard is quite high and will require most companies to make large efforts to meet and to administer.
Which companies does the GDPR affect?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country
- No presence in the EU, but it processes personal data of European residents
- More than 250 employees
- Less than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
What happens if a company does not comply with GDPR?
The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance. According to a report from Ovum, 52 percent of companies believe they will be fined for non-compliance. Management consulting firm Oliver Wyman predicts that the EU could collect as much as $6 billion in fines and penalties in the first year.
A big unanswered question is how penalties will be assessed. For example, how will fines differ for a breach that has minimal impact on individuals versus one where their exposed PII results in actual damage? The consensus is that the regulators will quickly act on a few companies found to be not in compliance early on to send a message. Then, organizations can make a better assessment of what to expect in the event of a non-compliance finding.
What is required of companies in terms of GDPR?
The GDPR requirements will force companies to change the way they process, store, and protect customers’ personal data. For example, companies will be allowed to store and process personal data, but only upon individual consent. They cannot store it for "longer than is necessary for the purpose of which it was processed."
That last item is also known as "the right to be forgotten". There are some exceptions. For example, GDPR does not supersede any legal requirement that an organization maintain certain data. This would include HIPAA health record requirements.
Several requirements will directly affect security teams. One is that companies must be able to provide a “reasonable” level of data protection and privacy to EU citizens.
What could be a challenging requirement is that companies must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. Another requirement, performing impact assessments, is intended to help mitigate the risk of breaches by identifying vulnerabilities and how to address them.
When is GDPR in effect?
Companies must be able to show compliance by May 25, 2018.
ic*otrulhk G urtu*fsahd D enhbvkshl* P hc*tkelnab R Compliance
GDPR protects users from having their personal information abused and exploited. When a merchant has his private data stolen, not only is he subjected to business damage, but also to heavy fines and penalties. LPS technology secures your business, and ensures your compliance.
LPS technology thoroughly covers these requirements through the infrastructure, leads flow, encryption methods, knowledge tools, and specific functions.
- Infrastructure
- Strong encryption methods
- Secure leads flow
No thefts, no leaks, ultimate level of sensitive data protection.
LPS's infrastructure allows for the maximum level of security. All user data, from the moment that they enter their information in your website, landing page, registration form, etc. is divided, encrypted and stored in Amazon Private Cloud.
The end-user has the right to be forgotten.
LPS technology makes it simple. With our one-click delete function, the data that you want forgotten is selected and deleted within all related tickets. You don't have to worry about leftover traces, the system handles it securely and efficiently.
Access granting determined by business need
With LPS's unique architecture, you become the sole owner of your encryption key, and no one can access (not even LPS vendors) your sensitive data without your permission.
- Flexible data access system helps determine the rules for access granting.
- Sophisticated reporting tools to keep you in-the-know about any communications with your data.
- Full alerting system that notifies you upon any suspicious contact. These alert tools are customizable and will tell you exactly when your set standards are breeched.
LPS Statement on GDPR
-
Protection of personal data - names, email, phone numbers, etc.>LPS private cloud and encryption, and PCI DSS best practices. Fool-proof.
-
Personal data can only be used for specific business tasks on a need-to-see level>LPS advanced permission system
-
Right to be forgotten>LPS One-click system – delete it everywhere!
-
3rd party vendors that have access to personal data need to comply with GDPR as well>Cloud-based solution, with encryption key only accessible to business owner. 3rd party vendors can only access necessary business data, not private data. Their compliance becomes irrelevant.
