SOC 1, SOC 2 + HITRUST CSF, PCI DSS, and HIPAA Compliance

STL is constantly striving towards higher levels of security. Our compliance achievements verify that we have the proper internal controls, processes, and information security control structure in place to deliver high quality services to our clients.


SOC 1 is a reporting established by the AICPA and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA require corporations to audit the internal controls of their suppliers.


HITRUST and the AICPA have collaborated to develop and publish a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance programs for SOC 2 reporting. SOC 2 + HITRUST CSF reporting is used to express an opinion on whether the controls at a service organization are suitably designed and operating effectively to meet the HITRUST CSF requirements in addition to the applicable Trust Services Criteria.


Payment Card Industry Data Security Standards (PCI DSS)

The PCI DSS is a complex security standard that focuses on security management, policies, procedures, network architecture, software design, and other critical protective procedures. These security standards are relevant to any merchant or service provider that uses, stores or transmits information from a payment card. The standard was created by payment brands (Visa, MasterCard, Discover Financial, American Express, and JCB International) to increase controls around cardholder data to reduce credit card fraud.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA Security Rule is a national standard set for the protection of consumers’ electronic protected health information (ePHI). The ePHI that an organization manages must be protected from anticipated breaches by mandating a risk assessment and implementing appropriate physical, administrative, and technical safeguards. HIPAA laws are regulated by the Office for Civil Rights (OCR) and are meant to protect unauthorized use and disclosure of ePHI.

Have Questions?

Please reach out to us by filling out the form below and we will respond as soon as possible!

Personally, I like the ‘NON-CORPORATE’ approach to resolutions of problems.

The ‘like home’ or ‘neighbor’ feeling is appreciated from the concern of the issue, to the knowledge of ‘we can handle the problem.’

There has been a huge amount of friendship developed with STL due to the concerns of how we do business and why we are doing it this way. With that information has come knowledge of our needs for future growth.

More important is the timely support and quality of support based on this knowledge.

Gary W. Howell Greater Peoria Mass Transit