Compliance · British Columbia
Compliance for Vancouver and BC Businesses
Hexafusion delivers integrated compliance programs for BC businesses across PIPEDA, BC PIPA, PCI DSS v4.0.1, SOC 2 Type 2, FINTRAC, and the industry-specific frameworks that layer on top. One program, one evidence package, mapped to every framework that applies to you.
Written by Alex Barari, founder of Hexafusion and a former PCI DSS Internal Security Assessor (ISA). Hexafusion is an IT and security firm, not a law firm or AML compliance advisor. We deliver the technical controls, evidence systems, and program documents that compliance programs depend on, and we coordinate with your privacy lawyer and AML advisor on the regulatory and legal pieces.
On this page
- Which frameworks apply to your business
- Why an integrated program beats one-at-a-time
- Deep-dive cluster pages by framework
- Industry-specific compliance pages
- The shared technical baseline
- How a compliance engagement runs
- FAQ
Which frameworks apply to your business
The compliance picture for BC private-sector businesses in 2026 is dense but mostly orderly. Five core regimes cover almost everyone:
PIPEDA and BC PIPA
Privacy law. Almost every BC private-sector business is subject to PIPA. PIPEDA applies on cross-border data flows and to federally regulated industries. Mandatory breach notification. PIPEDA & PIPA cluster »
PCI DSS v4.0.1
Payment card standard. Applies to any business that accepts, stores, transmits, or processes card data. Enforced contractually through the acquiring bank. PCI DSS cluster »
SOC 2 Type 2
AICPA attestation for service organisations. The default enterprise-procurement requirement for B2B SaaS and technology companies. SOC 2 cluster »
FINTRAC (PCMLTFA)
AML and counter-terrorist financing regime for reporting entities: MSBs, real estate, accountants in triggering activities, BC notaries, mortgage brokers (since Oct 2024), dealers in precious metals, casinos. FINTRAC cluster »
Industry-specific frameworks
CPSBC (medicine), CDSBC (dentistry), Law Society of BC, CPA-BC, BCFSA (financial services and real estate), Health Authorities (BC E-Health), BCID (BC ID standards). Each layers on top of PIPA. See industry pages below.
International overlays
EU GDPR for any business with EU customers or staff. California CCPA for US-California customers. ISO 27001 as a recognised international information-security standard. We deliver mapped programs that cover these alongside the Canadian baseline.
Why an integrated program beats one-at-a-time
The single largest mistake we see in BC compliance work is treating each framework as a separate project with separate policies, separate evidence, and separate program management. The frameworks overlap enormously. A program designed around the highest applicable standard produces evidence that maps to every other framework that applies to you. Industry benchmarks suggest 40-60 percent cost reduction versus running parallel siloed programs.
Where the overlaps live:
| Control family | PIPEDA Principle 7 | PCI DSS req | SOC 2 CC | FINTRAC IT |
|---|---|---|---|---|
| MFA on access | Yes | Req 8 (expanded v4.0.1) | CC6 | Yes |
| EDR on endpoints | Yes | Req 5 | CC7 | Yes |
| Vulnerability mgmt | Yes | Req 6, 11 | CC7 | Implied |
| Encryption at rest & in transit | Yes | Req 3, 4 | CC6 | Yes |
| Audit logging | Implied | Req 10 | CC4 | Yes |
| Awareness training | Yes | Req 12 | CC1, CC2 | Compliance program |
| Backup & recovery | Yes | Req 9, 12 | CC9 | Yes |
| Incident response | Yes (breach) | Req 12.10 | CC7 | Yes |
| Vendor management | Yes | Req 12 | CC9 | Yes |
Every cell in that table is a place where one piece of work satisfies multiple frameworks at once. The integration is the entire point of running compliance as a single program.
Deep-dive cluster pages by framework
Each cluster page covers one framework in detail with industry-specific examples, control mappings, and the practical work we deliver.
Payment cards
PCI DSS v4.0.1 Compliance
Scope reduction, SAQ selection, quarterly ASV scans, segmentation testing, and the 12 requirement families. Written by a former Internal Security Assessor.
Read the PCI DSS cluster »
Privacy
PIPEDA & BC PIPA Compliance
Privacy management program, plain-language privacy policy, 72-hour breach playbook, safeguards statement, cross-border data handling.
Read the PIPEDA & PIPA cluster »
Service organisations
SOC 2 Readiness
Type 1 and Type 2 readiness, Trust Services Criteria mapping, 9 Common Criteria control families, GRC platform implementation, auditor coordination.
Read the SOC 2 cluster »
AML/CFT
FINTRAC IT Compliance
Five-year record retention with immutability, secure FWR submission, identity verification IT, audit trails, encrypted storage. October 2024 amendments covered.
Read the FINTRAC cluster »
Industry-specific compliance pages
Industry pages cover the framework overlays specific to each vertical: clinical college obligations, law society rules, BCFSA conduct standards, and the practical IT decisions for that industry.
Dental clinics
CDSBC/CDA-CDSBC standards plus PIPA. Practice management systems, patient records, payment terminals.
Medical clinics
CPSBC and BC E-Health Act plus PIPA. EMR access controls, audit logging, encrypted communications.
Law firms
Law Society of BC technology and confidentiality rules. Trust account IT controls.
Accounting firms
CPA-BC privacy expectations, FINTRAC triggering activities, client tax data protection.
Real estate
BCFSA conduct rules and FINTRAC reporting entity obligations. KYC retention.
Financial services
FINTRAC for MSBs and securities. BCFSA and federal frameworks. Higher control baseline.
Construction
PIPA, prime contractor obligations, subcontractor data handling, lien and bonding documentation.
Manufacturing
PIPA, supply chain cybersecurity (ITAR/CGP if applicable), customer SOC 2 expectations.
Non-profits
PIPA, CRA charity transparency, donor data protection.
The shared technical baseline
Every compliance program we deliver rests on the same technical baseline. These are the controls that appear in PIPEDA Principle 7, PCI DSS requirements 5-12, SOC 2 CC6/CC7/CC9, FINTRAC IT controls, and almost every industry-specific framework. Deep-dive cluster pages cover each one in detail.
Multi-Factor Authentication
Phishing-resistant MFA on every account with access to regulated data. Entra ID, Okta, Duo, Google Workspace.
EDR & MDR
Behavioural detection on every endpoint. 24/7 SOC on Enterprise plans. Required by every modern framework.
Vulnerability Scanning
Quarterly external and internal scans. Authenticated internal scanning now required by PCI DSS v4.0.1.
Awareness Training
Annual training plus monthly phishing simulation. Documented completion records satisfy every framework's training requirement.
Backup & DR
Immutable backups, tested restoration. The retention schedule maps to PIPEDA, PCI DSS, SOC 2, and FINTRAC requirements.
Cybersecurity overview
The layered defence model that produces evidence across compliance frameworks and cyber-insurance underwriting.
How a compliance engagement runs
- Scoping (week 1). Identify which frameworks apply, which industry overlays, current control maturity, commercial drivers (cyber insurance, customer questionnaires, enterprise procurement). Free 30-minute scoping conversation.
- Multi-framework gap assessment (weeks 2-4). One assessment that maps current controls to every applicable framework. Identifies overlap, prioritises gaps by impact across frameworks, recommends sequencing.
- Program design (weeks 3-5). Integrated policies, procedures, and evidence collection model. One set of artefacts, mapped to each framework. GRC platform selection if SOC 2 is in scope.
- Technical remediation (weeks 4-X). Close gaps in priority order. Shared technical baseline first (MFA, EDR, encryption, vulnerability management, awareness training, backups). Framework-specific work second.
- Evidence and attestation (variable). Complete each applicable framework's required deliverable: SAQ + AOC for PCI, type 1 or type 2 report for SOC 2, FINTRAC compliance program documentation, PIPEDA program documents.
- Ongoing management. Quarterly cadence (scans, evidence reviews, recertifications, vendor reviews). Annual cadence (policy review, risk assessment, BCP test, audits, training refresh). Continuous monitoring.
Cyber insurance considerations
Compliance evidence is increasingly the same evidence cyber insurance underwriters request at renewal. The integrated program we run also produces the underwriter package: MFA coverage attestation, EDR/MDR statement of controls, backup immutability evidence, incident response runbook, awareness training completion. Insureds with current SOC 2 Type 2 and PCI DSS attestations see materially better pricing and limits. See our cyber insurance section on the cybersecurity overview.
FAQ
Which compliance frameworks apply to most BC businesses?
PIPA always. PIPEDA on cross-border data. PCI DSS if you take cards. SOC 2 if you sell SaaS to enterprise. FINTRAC if you are a reporting entity. Industry-specific frameworks layer on top.
Where should we start?
PIPEDA/PIPA program plus the shared technical baseline (MFA, EDR, vulnerability management, awareness training, backups). Then framework-specific overlays as commercial drivers require.
How long does it take?
Documented PIPEDA/PIPA program: 8-12 weeks. PCI DSS depending on SAQ: 2 weeks to 12 months. SOC 2 Type 2 first report: 9-15 months. FINTRAC IT baseline: 6-12 weeks. We sequence so each framework reuses the previous one's work.
What does Hexafusion deliver vs a law firm or AML advisor?
We deliver technical controls, evidence systems, policy and program artefacts, and ongoing program management. Legal opinions, regulatory interpretation, and AML compliance program drafting come from your privacy lawyer or AML advisor. We coordinate.
How does compliance affect cyber insurance?
Compliance evidence overlaps heavily with underwriter questionnaire content. Insureds with current SOC 2 and PCI DSS see better pricing and limits. The same evidence package serves both audits and renewals.
Can one program satisfy multiple frameworks?
Yes. The frameworks overlap heavily on technical controls. A well-designed program produces a single evidence package mapped to every applicable framework. Industry benchmarks: 40-60 percent cost reduction versus siloed parallel programs.
What is the role of an Internal Security Assessor (ISA)?
An ISA is trained and certified by the PCI Security Standards Council to perform PCI DSS assessments inside an organisation. Alex Barari held the credential in a previous in-house role and brings that program experience to client engagements.
What does ongoing compliance look like?
Quarterly scans, evidence reviews, access recertification, vendor reviews. Annual policy review, risk assessment, BCP test, pen test, awareness training refresh, audit renewals. Continuous SOC monitoring, breach response readiness, log retention.
Book a compliance scoping call
30-minute call with a former PCI DSS Internal Security Assessor. We map which frameworks apply, identify the integrated path, and produce a sequenced remediation plan. Free.
Book a compliance scoping callRelated topics
Compliance is one half of the security and risk picture. The other half is the technical baseline that produces the evidence.