How many of you cringe or panic at the sight of regulation acronyms? It's easy to get overwhelmed with what compliance entails, the confusing lingo and the changing landscape. As the Product Manager focused on regulatory compliance, I spend a lot of time keeping up with these rulings and laws to determine if/how they impact the current Oracle Service Cloud solution as well as upcoming enhancements and new functionality.
In this blog post, I would like to introduce you to a little primer on regulations that many of you encounter as you manage customer data in your Oracle Service Cloud instances. While there are government related offerings for the Service Cloud, today I'd like to share some valuable pointers on how you can administer your site in retail, financial services, and health care regulated environments.
First, three regulatory acronyms you should be familiar with:
PCI DSS defines the technical and operational requirements for organizations that store, process or transmit cardholder data. For more official information: https://www.pcisecuritystandards.org/
HIPAA is a U.S law that the Health & Human Services Department uses to ensure an individual's health information is kept private and secure. It includes standards for electronic health care transactions, unique health identifiers, and security (incorporated from HITECH Act). For more official information: https://www.hhs.gov/hipaa
In case you were not aware, Oracle Service Cloud offers a Payment Card Industry (PCI) attested environment as a Service Provider Level 1 and environments that met the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules as a Business Associate. Oracle is assessed annually by a third party for PCI and HIPAA
compliance for our infrastructure and specifically Service Cloud software.
By the way, the terms "Service Provider" and "Business Associate" clarify Oracle's role in providing a compliant service and how our audit is conducted. Special attention is given to certain requirements that would be more important or only available by a provider of a cloud service.
Our Attestation of Compliance confirms that the services we offer have been deemed PCI compliant. The HIPAA accreditation we receive also ensures we have met the required guidelines for safeguarding protected health information. However, with the endless possibilities for customizing your Oracle Service Cloud site, you must consult with your PCI assessor or HIPAA auditor to ensure your compliance. For example, if you diverge from the default data model by creating custom fields, be sure to validate that proper controls are put in place.
When purchasing our specialized offerings with Service Cloud, you can also include a Technical Account Manager or Oracle Cloud Priority Support. The technical assistance these services offer include assessing your customizations for suspicious and vulnerable code and offer best practices in a regulated environment.
Oracle operates on a shared responsibility model, which means that you share responsibility for ensuring PCI or HIPAA compliance. Purchasing the PCI or HIPAA compliance packages doesn't automatically guarantee your organization is in compliance with these regulations! Make sure that you review the Oracle Service Cloud Restricted Environment Deployment Guide to learn what specific considerations and controls to pay special attention to when deploying Oracle Service Cloud. It offers guidance on securing and protecting your data, giving you the ability to configure a compliant environment. You can also get to this guide through the Support Knowledge base, specifically Answer 9570: Guidance for Implementing in PCI or HIPAA Service Cloud Environment.
If you have questions about these regulations, what they mean for your organization or about how to ensure your site is in compliance, please leave a comment and let us know. Also, if you have experience or advice with keeping your site compliant, leave a comment and share your experience!