Most of the standards that exist in the finance industry that are relevant to printers/multifunction printers (MFPs) pertain to privacy and security for the general transmission of private data. This blog post will discuss some of these standards, giving finance customers ideas of questions to ask their print technology provider.
But first, why are industry standards and compliance important?
The importance of securing all products related to the processing of financial data cannot be overstated, as the costs associated with security breaches in the financial sector are staggering. A recent survey conducted by the Ponemon Institute showed that the average annualized cost of cyber related crimes was highest for the financial industry ($18 million) compared to any other industry. Financial audits, typically performed twice per year, often uncover vulnerabilities associated with breaches related to the transmission and improper access of financial related data.
Payment Card Industry Data Security Standard
A well-known security standard in finance is called PCI DSS (Payment Card Industry Data Security Standard). Essentially, all companies using devices that process, store, or transmit credit card information must meet this standard. Xerox, Konica Minolta, HP, and others actively promote their compliance with this standard.
How secure transmission of credit card data relates to MFPs
One might ask how the secure transmission of credit card data relates to MFPs. The answer is if a financial institution, retailor, store front, or other similar entity accepts credit card payments, they may have a process that involves 1) taking an order form or purchase order, which typically includes credit card data, and then 2) scanning, copying, or transmitting that form, from an MFP or scanning device to a local or remote server.
This kind of process places the device that has performed the scanning within the scope of PCI DSS, as well as any server (on-premises or off-premises) that may store the data and/or any related metadata. At this point, according to PCI DSS compliance standards, the private financial data that is transmitted is treated with nearly the same scrutiny as patient information related to HIPAA (Health Insurance Portability and Accountability Act) compliance.
Other compliance standards
A variety of other standards exist in the finance industry that pertain to protecting financial information, including information passing through a networked MFP. Industry firms are encouraged to ask their MFP providers to describe and demonstrate how they comply with these standards.
Table 1: Additional finance standards to consider
|SOX (Sarbanes-Oxley Act)||Requires adequate internal controls for reliable financial reporting, including longer storage of larger volumes of sensitive information from different systems, quick and easy access to digital information|
|Basel III (Basel Committee on Banking Supervision)||Includes stringent data reporting and risk management requirements|
|SOC2 and SOC3 (AICPA Service Organization Control 2 and 3)||Relates to security controls associated with the accounting industry|
|ISO 15408||International evaluation standard of information security|
|FFIEC (Federal Financial Institutions Examination Council, which essentially covers all financial institutions that do online banking)||They now require multifactor authentication (MFA), as opposed to SFA (single factor), as well as a high level of encryption for all financial transactions or OLTP (Online Transaction Processing). This can include biometrics such as voice ID, fingerprint/vein, iris, etc.|
Most financial firms are mindful of key industry standards, but they don’t necessarily understand how they relate to multifunction printer devices. In addition to some of the background information provided in this article, these firms are advised to speak to their business technology providers specifically about this question.