Compliance FAQs

Frequantly asked questions about PCI and HIPAA compliance solutions.

Do you offer consulting services to help me through
these regulations?
A: Yes. We offer professional services to assist with
getting you started and then helping to get you through
the various tasks and requirements that are needed to
become compliant with regulations such as PCI and
HIPAA. From policy writing to training of your staff, to
CISO-as-a-service offerings, we can help you through the
maze of compliance regulations.

Why do I need File Integrity Monitoring?
A: File Integrity Monitoring is very important protection
for your PC’s and servers that watch over your program
and system files and can raise alarms when something
changes. Some changes to these files are acceptable (like
Windows Updates), but other changes may not come from
a trusted software publisher and need to be investigated
and possibly remediated. If you do not have a system like
a FIM tool watching over your system, you may not realize
what has changed without your knowledge.

What is the difference between patching solutions
for the Operating System (OS) only and 3rd party
A: Operating Systems patching only covers the operating
system itself (such as Windows, LINUX, etc.) whereas the
3rd party application patching can cover a wide variety
of applications you may have installed on your systems,
such as Java or Adobe.

Why would I need to scan for sensitive data such as
PCI and Healthcare Data?
A: Scanning for sensitive data is important to ensure that
you are not storing any data that should not be stored. It
can also be useful to determine if your staff has copied
data in error or tried to remove data from your systems.
I know I must comply with HIPAA, but do I have to
comply with PCI too?
A: If you are a healthcare entity that must comply with
HIPAA, and your business accepts payments from
patients via credit card, then you most likely will need to
comply with PCI regulations as well. PCI mandates that
all merchants (those that accept credit cards) comply in
one way or another with PCI standards. Discounts are
available for customers who may require both packages.

Why do I need a network diagram with data flows?
A: A complete network diagram is required by regulations
such as PCI. It is also important to document the way
your network has been designed so that troubleshooting
can occur when needed. Under PCI ASV scanning rules,
for instance, you may not be able to pass a filed exception
to failed scans if you do not have a network diagram that
shows open ports and direction of allowed application

Why would we need a penetration test?
A: A penetration test of your systems by an experienced
penetration tester is the only real way to find out if your
systems are secure enough or not. You may not know
what holes exist in your system that can be exploited by
hackers and viruses until it’s too late. Having a pen test
done regularly, especially after major changes to your
systems, may be the only way you learn of issues that can
comprise the security of your systems before it’s too late.

I already have vulnerability tests running on my
systems, is that the same as a penetration test?
A: No. A vulnerability test is designed to report on issues
that may exist, but they do not take the next steps of
trying to exploit those holes to see how far a real attacker
may be able to get if they were able to compromise a hole
such as a missing patch or a misconfigured system. A
penetration test is the only real way to find out how much
damage can be done by a hacker or a virus that makes its
way past your current defenses.

What are the penalties for non-compliance with PCI
A: The payment brands may, at their discretion, fine an
acquiring bank $5,000 to $100,000 per month for PCI
compliance violations. The banks will most likely pass this
fine along until it eventually hits the merchant. Furthermore,
the bank may also terminate your relationship. Penalties
are not openly discussed nor widely publicized, but they
can be catastrophic to a small business. It is important
to completely understand your merchant account
agreement, which should outline your exposure.

Why are the PCI related packages more expensive
than the HIPAA packages?
A: The PCI regulations require more elements as part
of the PCI-DSS compliance mandates, including File
Integrity Monitoring and Daily Review of those Logs, as
well as Penetration Testing for merchants that utilize older
technology for credit card processing.

How do I purchase more hours of professional
services from WHOA?
A: For a customized quote on additional hours of
professional services please contact your

What insurance does WHOA have in place?
A: WHOA has a multi-million dollar policy which includes
cyber liability provisions in place through USLI, a Berkshire
Hathaway company.

What compliance certifications does WHOA have?
A: has been audited to the highest established
standards of ISO 27001:2013, PCI DSS 3.2 and HIPAA
proving our commitment to deliver compliance for
regulated industries.

For more detailed information on PCI and HIPAA Compliance solutions, assessments and consulting services, please contact us.