In order to do business, your WordPress website and business have to adhere to rules and regulations. These rules and regulations may take the form of laws (such as GDPR or HIPAA). They may also be compliance requirements, such as PCI DSS or ISO 27001, and may vary from one country to the other.
What is compliance?
Regulatory compliance, or simply, compliance describes the state of a business being in line with rules and established guidelines specified by a regulatory body.
Compliance is a vital component in any organization valuing transparency, security and accountability. Businesses can leverage compliance to conduct business in-step with requirements, laws, and regulations with the right attitudes. And of course, improve the security of their business operations and WordPress website.
Every business is different. Therefore there is no cookie-cutter template to follow when it comes to compliance. It also depends on where in the world your business operates, who you do business with, and what data your WordPress site collects from end-users.
While it would be impossible to list all compliance regulations, the following are a few common ones to be aware of as a WordPress website owner:
- General Data Protection Regulation (GDPR) is a European Union (EU) data protection and privacy legislation. It helps enforce the protection of EU citizens’ processing of personal data.
- Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations handling credit card data, such as eCommerce stores. The scope of PCI DSS is to increase controls around handling and managing cardholder data, to reduce credit card fraud. If you have an eCommerce solution, or sell anything online read our PCI DSS guide for WordPress website owners.
- ISO 27001 is a specification outlining a framework of policies and procedures that includes legal, physical and technical controls involved in an organization’s risk management processes.
- Health Insurance Portability & Accountability Act (HIPAA) is a United State legislation. It addressses data privacy and security of patients’ medical records.
Why does regulatory compliance exist?
Different regulatory compliance requirements exist for different reasons. In general, compliance requirements exist to to help businesses achieve a certain level of security. Depending on the compliance requirement or regulation, some may require an organization being subject to regular audits. Typically, businesses face penalties for non-conformance in the form of fines, or loss of accreditation.
Compliance plays a huge role when it comes to security. Many compliance requirements outline (in varying degrees of detail) security controls and processes that must be in place in order to meet specific criteria of the said compliance regulation.
Naturally, regulation typically occurs to bring order to chaos. An example of this is PCI DSS. It came into play because online credit card processors weren’t taking the necessary security precautions to keep cardholder data secure. More recently, GDPR came into play to reform and harmonize EU data privacy laws, and improve the privacy of EU citizens. GDPR allows legislators to impose tough penalties on organizations which do not conform to the data privacy laws within the EU.
Why are regulation and compliance a good thing?
Compliance and regulation are associated with laws, constraints, audits and penalties. So they often get a bad reputation. However, it is needed to help organizations understand the importance of observing the laws and operate ethically.
However, compliance is also a necessary evil. It increases business complexity, expenses, and sucks up a lot of time otherwise spent growing the business.
Having said this, the pros to making a conscious effort to comply to rules significantly outweigh the cons. Organizations have the opportunity to bolster transparency; establish customer trust and expand into new regulated markets to attract larger customers.
Is compliance enough to ensure security?
Unfortunately, compliance is commonly mistaken for security. An organization may be compliant, but not properly secure. On the flip-side, it’s rare to find organizations which are secure but not in compliance.
Compliance is a point-in-time, one-size-fits-all assessment that indicates an organization meets a minimum security requirement. Regulatory standards such as PCI DSS and HIPAA for instance, have a checklist of such security requirements.
Security defenses on the other hand, provides technical measures to safeguard against bad things happening, like leaking sensitive customer information. In other words, while a company policy may suffice for a compliance control, it does not mean it’s not technically possible. A simple example of this would be NSA. Wile it certainly forbids copying and distributing of classified documents, nothing actually stopped Edward Snowden from doing so.
Where do you start with WordPress compliance?
Compliance can be intimidating, and sounds like an impossible task to achieve. However, it is not. Luckily, a lot of documentation and help is available for WordPress website owners, such as our PCI DSS guide to WordPress site owners. You can start by following the list of pointers we have prepared for you:
- Figure out what compliance requirements you’re subject to — laws and regulations vary significantly from one country to another. Depending on the size, type and complexity of your online business and eCommerce store you may want to double check with local authorities. You can also seek professional help in this area where necessary.
- Brush-up your security — good WordPress security practices are not only central and required by regulations, but they also make your life significantly easier. For example you can start by doing the following:
- Embrace security and compliance — it may seem like a bitter pill to swallow at first. However, the sooner you embrace security and compliance as an essential business function, the less friction this will cause in the long run, and the less WordPress security issues you will have.