Regulatory Compliance

VirtuCrypt Regulatory Compliance

Meet Compliance the Easy Way

VirtuCrypt is dedicated to providing hardened, secure, and compliant solutions for all of your data encryption and key management needs. You don’t have to take on the task of meeting security mandates on your own. VirtuCrypt has already done all the heavy lifting to have its devices and facilities audited and certified for compliance with numerous regulatory standards. Utilizing VirtuCrypt’s technology has been proven to significantly reduce the scope and cost of meeting regulatory requirements for organizations of all sizes and industries.

VirtuCrypt Regulatory Standards


PCI DSS

Description:
The Payment Card Industry Data Security Standard outlines the restrictions placed on any organization that handles payment information, from processing transactions to storing cardholder data.

Solution:
In addition to the VirtuCrypt environment undergoing PCI DSS audits, VirtuCrypt’s key management and encryption services are compliant with PCI DSS requirements because all services incorporate tamper-resistant Secure Cryptographic Devices (SCD) with logical functionality specifically designed for organizations operating under PCI DSS requirements. Additionally, a set of rigorous policies and procedures ensure that all data is kept secure, in fulfillment of requirements.


FIPS 140-2

Description:
The Federal Information Processing Standards are used to assign cryptographic modules a value from 1 to 4, with 1 meeting minimal physical security requirements and 4 meeting the strenuous requirements for withstanding extreme environments.

Solution:
All of VirtuCrypt’s devices are validated as FIPS 140-2 Level 3, making them some of the most physically secure in the industry. FIPS 140-2 Level 3 validation requires both tamper evidence and tamper resistance as well as a bevy of physical security measures such as restrictions on vents and locks.

VirtuCrypt’s devices utilize difficult-to-replicate bezel locks, physically reinforced chassis, and a zeroization mechanism that instantaneously erases all sensitive data within the module in the event of tamper, ensuring criminals can never obtain your information.


PCI HSM

Description:
The Payment Card Industry PIN Transaction Security: Hardware Security Module standard defines the requirements for cryptographic modules’ design, manufacture, and deployment.

Solution:
The devices used for VirtuCrypt’s cloud services are validated as compliant with PCI HSM, providing organizations with the assurance that the cloud they’ve chosen is treating their data with the utmost security, both logical and physical.


ANSI X9.24 Part 1 & 2 - TR-39

Description:
Organizations who handle PIN transactions must be compliant with American National Standards Institute TR-39 requirements, which evaluates how businesses treat transaction processing within an ATM or point of sale environment. To perform an audit, the auditor must be CTGA-accredited.

Solution:
VirtuCrypt employs CTGA-accredited Solutions Architects to provide training, helpdesk services, and audit preparation services for clients.

The CTGA training and accreditation allow our Solutions Architects to view your infrastructure from an auditor’s perspective. They’ll design your VirtuCrypt solution from the ground up with compliance in mind the whole way.


HIPAA

Description:
The Health Insurance Portability and Accountability Act of 1996 mandates how healthcare organizations treat the privacy and security of their patients’ Personally Identifiable Information (PII).

Solution:
All VirtuCrypt facilities are certified as HIPAA compliant, and by utilizing VirtuCrypt’s robust Secure Cryptographic Devices, healthcare organizations can easily ensure their patient data is kept encrypted and safe at all times.


SSAE 16 (SOC 1, 2, & 3)

Description:
The Statement on Standards for Attestation Engagements number 16 was established by the American Institute of Certified Public Accountants (AICPA) as a renovation of an older standard called SAS 70. This standard outlines different Service Organization Control levels that deal with different types of reporting.

Solution:
VirtuCrypt’s data centers are SOC 1, 2, and 3 compliant, meeting the reporting requirements for all three levels for Security, Availability, Processing Integrity, Confidentiality, and Privacy.


TIA-942

Description:
The Telecommunications Infrastructure Standards for Data Centers is a standard that outlines the requirements for data center buildings regarding layout, environment, cabling, and more. The tier system establishes increasing levels of reliability, with Tier 4 providing 99.995% fault tolerant availability.

Solution:
VirtuCrypt’s data centers meet the requirements for TIA-942’s highest tier level, providing our customers with the most reliability possible. The data centers utilize multiple active-active cooling paths with redundant power sources that have input from two separate grids with power fed from three substations.


Help Your Auditor Out

We understand that audits can be stressful. That’s why we’ve done everything we can to ensure the process goes smoothly. Our industry-certified Solutions Architects have years of experience performing on-site assessments of complex IT infrastructures, advising you on any needed changes for best security in order to pass your audit.

All actions performed through your VirtuCrypt cloud, from loading keys to adding users, are automatically logged by VirtuCrypt. These logs can be accessed by auditors through accounts with restricted user permissions. Additionally, all VirtuCrypt services allow for customers to set up an external syslog server to which audit logs can be easily exported.