Day: April 11, 2012

Financial IT: Attain Compliance While Staying In Business

In a previous post on our IronOrbit blog, we discussed how healthcare legislation over the last 15 years has directly and indirectly altered the industry’s IT requirements. Some legislation, such as HIPAA and HITECH, straightforwardly require more secure management of patients’ electronic records. Other laws, such as the Affordable Care Act, change healthcare IT by, for example, adding patient volume or increasing documentation requirements of medicinal practices that involve electronic records. Today we will discuss legislation and regulations that affect the IT requirements of retail and financial services businesses in similarly direct and indirect ways.

Like healthcare IT legislation, retail and financial services IT regulations developed only after electronic storage and transfer of data in those industries had become ubiquitous. The IT regulations of retail and financial services were drafted for different reasons, however. Customers and payment card companies had always tacitly expected and demanded that businesses accepting credit cards and other forms of electronic payment securely manage, store, and transfer sensitive financial data. Retail businesses that failed to properly manage credit card data might be punished with fines or decreased sales, but until recently neither the government nor the payment card companies had imposed explicit, consistent, or punishable data security regulations. For accounting departments and financial services companies, on the other hand, data security was never the primary IT issue. Economic scandals in the early 2000s and 2008 convinced lawmakers that financial services required better records management standards, more transparent reporting and disclosures, and more oversight of the auditing process. The Sarbanes-Oxley and Dodd-Frank acts were the result of this thinking.

Sarbanes-Oxley (2002). In response to the corporate scandals of Enron, WorldCom, Tyco, and others, Congress drafted Sarbanes-Oxley to discourage auditing malfeasance and to make it more difficult for businesses to publicly misrepresent their financial health. Under Sarbanes-Oxley, companies must continually preserve 5 years’ worth of financial records; they need to implement and maintain a stable records management system (paper or electronic); and they have to restrict access to financial data to designated employees or contractors. Also known as Sarbox or SOX.

PCI DSS (2004). Five major credit card companies (VISA, MasterCard, American Express, Discover, and JCB) developed the Payment Card Industry Data Security Standard in 2004 in response to a worsening epidemic of electronic credit card theft and fraud. PCI DSS requires companies to securely store and transmit credit card data and to restrict access to databases containing customer financial information.

Dodd-Frank (2010). The Wall Street Reform and Consumer Protection Act responded to the 2008 economic crisis by extending the requirements for reporting and disclosures and increasing regulation of formerly unregulated financial institutions. Like Sarbanes-Oxley, Dodd-Frank does not address financial services IT directly. However, satisfying the new reporting requirements (mainly about compensation, investments, and sources of funding) may require the IT system to adjust the way it creates, stores, and transfers company documents.

Many companies have to adhere to the regulations of Sarbanes-Oxley, PCI DSS, and Dodd-Frank all at once because they both accept electronic payments and administer their own accounting services. Complying with these regulations all at once can be tricky because PCI DSS mandates impeccable security and access control while Sarbanes-Oxley and Dodd-Frank require companies to deliver the near-opposite: more access to regulators, more honest communication with the public, and increased financial transparency. Usually small and medium sized companies do not have the IT resources or knowledge to build and maintain an IT infrastructure with the requisite combination of security and openness.

SMBs certain of their IT’s incompliance (or, conversely, uncertain of its compliance) should select cloud-based virtualized desktop infrastructures and hosted applications from IronOrbit. Our virtualized desktop infrastructures comply with PCI DSS with strict access control, encrypted transfers, and physically and electronically secure data centers. IronOrbit VDIs also comply with Sarbanes-Oxley and Dodd-Frank with comprehensive daily and weekly data backups and authorized remote accessibility. Additionally, we host individual applications such as document management platforms and accounting software like QuickBooks and Peachtree that also comply with retail and financial services IT regulations. With virtualized desktop infrastructures and hosted applications from IronOrbit, companies involved in retail transactions or performing financial services tasks should feel safe and compliant in putting their money in the Cloud.