PCI Compliance, SOC, and HITRUST
- Written by Debra J. Ciskey
With the June, 2019, disclosure of a data breach at AMCA looming large in the rearview mirror, debt collectors both large and small are scrambling to verify the security of their consumer portals and their consumer information in general. With numerous vendors and auditors serving the industry in this key area of compliance, it is helpful to understand who’s who and what they can offer industry members. This article is the first of a series profiling data security firms serving the collection industry.
A newer player in the debt collection sector despite loads of experience in other business sectors, is the Drummond Group. As a first-time participant in the recent ACA Annual Convention and EXPO in San Diego, company representative Pierre Jamet told me that the Drummond Group’s booth was abuzz with industry members seeking information about data security audits, PCI compliance, SOC, and HITRUST.
I asked Jamet what sets the Drummond Group apart from other vendors and consultants offering similar services. He described their “security first” approach, which for clients means more than merely checking the “compliant” box on a data security questionnaire. It ensures achieving best practices for security at the same time as reaching a compliant status. Being secure provides a higher level of safety than merely being compliant.
Jamet explained that automated audits provide peace of mind that audits are occurring on a timely basis with little impact on the workload of IT staff. Such audits help agencies maintain compliance with client requirements for regular and timely audits. The Drummond Group regularly performs PCI DSS and PA-DSS audits and any other body of work required, including on site audits, quarterly vulnerability scans and gap assessments. Applying the company’s “No Jerks” policy, which says that the company will be there for its customers, and won’t make their customers feel stupid, Jamet taught me that PA-DSS are examinations of proprietary payment applications developed internally by a company for its own use. PCI Compliance services, including assessments for level 1 and level 2 service providers or merchants, provide strategies for ongoing compliance management. Gap analysis and self-assessment questionnaire support is also available.
For the assurance of clients, many of whom have become focused recently on quality assurance, Drummond Group provides audits and SOC attestations for SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and, once released, SOC for Supply Chains. In the collections space, SOC 2 exams meet most client requirements regarding principal service level commitments and system requirements.
Another differentiator in the marketplace is the company’s HITRUST Assessment Services. They have twice as many assessors on staff than many other providers, ensuring timely completion of projects. In fact, their approach to audits allows clients to complete multiple certifications with only one assessment engagement because the company gathers evidence once, broadly, so it is available for multiple uses. This approach also restrains costs considerably. Additionally, Drummond Group employs only U.S. based, full time and certified team members.
Knowing to whom to turn for client-required data security certifications can be a strain on debt collectors of any size. With huge concerns about data security, clients may consider this branch of compliance even more important that the consumer protection compliance issues we face under the CFPB and the pending Regulation F. In my next several articles I will profile other data security assessment and certification providers to make this process easier for readers.
Debra is the Executive Vice President at The Collections Coach, LLC. She began her nearly 40 year career in the collection industry in 1980 at ACA International in the federal affairs department, then leading the association’s Education initiatives as Director of Education. As an ACA instructor since 1983, Debra has taught nearly 200 ACA Seminars, and she served on ACA’s Board of Directors for 2 terms spanning 2012 to 2018. In 2000, Debra was inducted into ACA’s International Fellowship of Certified Collection Executives, and was named ACA’s Instructor of the Year in 2005.