GDPR for IBA and Data Security
Printed from http://www.bodytalksystem.com//learn/news/article.cfm?id=1055 on Feb 23, 2019.
Apr 28, 2018
By IBA Office
Data privacy has been in a lot of headlines lately and so it's important to let you know what the IBA is doing to protect your data.
Last time I talked about the European Union's General Data Protection Regulation (GDPR), providing a summary of the law as we believe it pertains to us, the IBA. Now I am going to let you know what changes we are going to make to comply with this law.
Summary of GDPR changes for the IBA
- Firstly, we will provide a GDPR Disclaimer for anyone to view. This provides a summary of our philosophy as it pertains to data capture and use.
- Currently, Members can search for other Members (under Members –> Listings). Due to privacy concerns, we will be removing this feature. However, the Practitioner search will remain but the search results will exclude any Practitioner who wishes to not have their details shown on the website.
- When a Member signs up or renews their membership, they must check a box that they understand how and why their information is used and what to do if they wish to be excluded. This is currently only available on the Member profile page.
- All Instructors must give us approval to show their details on our website. If not:
- we exclude their courses from the Course Listing,
- we exclude their name from Instructor lists,
- we exclude any videos that make mention of them,
- we exclude any case studies they have submitted,
- we do not allow them to submit new case studies,
- we also do not allow them to post any messages in the forum,
- all course history, and other pages with historical information (e.g. Course Certificates, CE Certificates,), will show the Instructor's name as "withheld by request"
- All Practitioners will have to give us approval to show their data on our website. If not:
- we will exclude them from the Practitioner search
- We will send out an email out to all Members (past and present) to advise us if they have any material on the website that they authored or in any way contributed towards (including newsletter articles, embedded content, case studies, forum messages, etc.), and they no longer wish their name to be associated with the material. In this case, they need to tell us what information and what web page, so we can address. We will then make sure the material is either removed or their name is redacted with that decision being our (IBA) choice. Failure to respond will mean the IBA takes no action to remediate any data for that individual.
- If a person leaves the IBA and wishes to have all their data removed, through the Admin feature, we will replace all their data with a pre-defined set of values, while preserving all their current information in an archive table and setting their privacy indicator to true (shows their name as withheld etc.)
Clearly there are a lot of changes and there may still be more as we go through this process.
What do Practitioners and Instructors need to do to better understand how GDPR affects them?
It is important that you understand the intent of the regulation. While GDPR does not legally affect organizations with less than 250 employees, and only organizations that capture EU citizen's data, the intent is a good one and one that I feel we should not be reticent in complying with. A good summary of how this might impact you can be found here: https://www.irishhealthhour.com/blog/2018/3/30/a-practical-implementation-gdpr-guide-for-self-employed-health-amp-wellness-practitioners-and-coaches. (Thanks to Charlotte Nielsen for providing this link via the forum)
Credit Cards and Data SecurityAnother big change in 2018 is the new Payment Card Industry Data Security Standards (PCI DSS) change. Many of you may already know about this but for those of you who don't, let me offer some background. But first I must apologize for this document's more technical focus, however I feel it's important for everyone to understand the degree of changes we continue to make to keep your data safe.
PCI DSS Background
All companies that process credit card transactions are known as merchants. Merchants fall into one of four merchant PCI compliance levels, which are determined based on their transaction volume and type over the period of a year. Transactions include all credit, debit and prepaid cards.
Merchant Level 1 - Over 6 million transactions processed per year
Merchant Level 2 – 1 million to 6 million transactions per year
Merchant Level 3 – 20,000 to 1 million transactions per year
Merchant Level 4 – less than 20,000 transactions per year
The IBA is a Merchant Level 3.
All merchants are required to attain PCI compliance. PCI compliance entails:
- Completing and passing an Annual Self-Assessment Questionnaire ("SAQ"). There are different SAQs depending on your business model. The IBA is classified as a "card not present" or e-commerce business and therefore completes SAQ type A. This questionnaire is very complete and consists of well over 250 questions, or requirements, that cover every aspect of our business including server and software setup, business practices, etc.
- Attestation of Compliance Form. Note: Ultimately, Compliance validation requirements set by the acquirer.
- Our websites undergo quarterly network scans by an Approved Scan Vendor (ASV) and any detected vulnerabilities are addressed. Failure to address any vulnerabilities in a timely manner results in fines.
PCI compliance is not a one-time solution, but rather a practice in which we must be continually engaged in order to ensure compliance.
More details about PCI and DSS can be found here: https://www.bodytalksystem.com/referenced_documents/PCIDSS_QRGv3_2.pdf (this document was provided by the PCI at their website: https://www.pcisecuritystandards.org)
A Brief History of the PCI DSS
The first version of PCI DSS, or PCI DSS 1.0, was released December 15, 2004, and was designed when five major credit card issuers--Visa, MasterCard, American Express, Discover and JCB--pooled their individual security measures to increase controls around cardholder data. Once these companies developed protocols that created an added layer of protection, holding merchants to certain standards when collecting, storing, processing and transmitting consumer data, the PCI DSS ("the Standard") was formed.
Since its inception, The Standard has gone through several upgrades to reflect emerging technologies, updates of risks and threats, and for added clarity and flexibility.
The latest PCI DSS 3.2 changes were developed and initially published in April 2016, providing a brief description of the upcoming changes and a timeline. Initially set for release on February 18, 2018, the official release date has now been pushed back to June 30, 2018. Until then, PCI DSS 3.2 will be considered "best practices."
What Changes can we expect from the PCI DSS 3.2 Update?
There are a few major changes you can expect from the PCI DSS 3.2 update, as well as several smaller changes that are set to protect our customers' cardholder data, along with our company and our reputation. (A more detailed analysis of the changes can be found from a PCI document here, https://www.bodytalksystem.com/referenced_documents/PCI_DSS_v3-2_Summary_of_Changes.pdf, and on the PCI website.)
The PCI Security Standards Council has announced that one of the most significant changes that accompanies PCI DSS 3.2 is the addition of "multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user's identity and grant access to sensitive information, even if they are within a trusted network."
This basically means that, upon implementation of PCI DSS 3.2, users must provide two or more credentials to gain access to credit card data and related systems.
The Transition to a More Secure Version of Transport Layer Security (TLS)
The transition from SSL (Secure Socket Layer) and TLS 1.0 to a higher layer of protection--at least at 1.1--was originally planned for June 30, 2016, but was extended for official reinforcement on June 30, 2018.
Various Additional Changes to PCI DSS 3.2
PCIComplianceGuide.org has shared several additional moderate changes to PCI DSS 3.2, including:
- Added Service Provider Scrutiny.
Each time a service provider makes changes to its management, they become subject to additional penetration testing, on a more frequent basis.
- New DESV Requirements.
An acquiring or payment brand can deem certain organizations that require additional validation to existing PCI DSS requirements as Designated Entities Supplemental Validation (DESV). Many companies use DESV validation standards; even if not required to, as a matter of best practices. The specific updates regarding DESV have not been announced yet, but you will find them in the Appendices in the DSS.
- Updated Rules Regarding Displaying Card Numbers.
This change will relate to the upcoming changes to overall card number standards.
- Changes to Requirements in the SAQs.
Some of the Self-Assessment Questionnaires (SAQs) will have additional requirements while others will have fewer requirements, but PCICompliance.org does not anticipate a great deal of impact with these changes.
What do the PCI DSS 3.2 Changes mean to the IBA?
The IBA takes data security very seriously. We are already implementing the necessary changes to PCI DSS 3.2 and expect to be fully compliant by June 1, 2018.
As part of these changes we will also be enforcing stronger passwords and requiring entry and/or validation of your email. This will all be implemented as part of a modified login procedure that will only appear if you have not completed the necessary tasks. The prompt will require you to:
- Change your password. Your new password must be a strong password as defined by PCI and viewable here (https://www.bodytalksystem.com/referenced_documents/Payment-Data-Security-Essential-Strong-Passwords.pdf)
- Validate or enter your email address
- Acknowledge you have read, understand and accept the GDPR disclaimer.