PCI DSS VS. HIPAA
We live in an age where ecommerce and online shopping is an integral part of our everyday lives. Garage Sales turned into Ebay. Costco turned into Amazon. Whether we like it or not our lives in many ways revolve around online businesses in more ways than one. We take online shopping for granted when in reality there is so much more going on behind the scenes of being able to process a payment online.
The Payment Card Industry is dominated by a few key brands: American Express, Visa, and Mastercard to name a few. In 2004, credit card fraud was on the rise with the increase in online shopping, the major credit card brands banded together to form the Payment Card Industry Data Security Standards or PCI DSS. While there are well over a thousand validation points within the PCI DSS, they can be reduced to 12 requirements that the Payment Card Industry requires companies to uphold in order to process payments with their credit cards. Any business that wants to accept payments online must uphold these standards. Luckily many plug-ins such as Stripe or Square allow companies to use their service for a small fee and take advantage of this.
In addition to the PCI DSS, any company conducting business in the United States that is handling any sort of protected health information (PHI) is required to maintain the standards as laid out in the Health Insurance Portability and Accountability Act (HIPAA). While HIPAA was originally in 1996, it has been adapted and expounded upon heavily, most considerable in 2013 the Final Omnibus Rule which extended the requirements of HIPAA to not just covered entities such as hospital or dental practices, but anyone who comes in contact with PHI throughout the course of their business (business associates). This now requires not just Doctor’s or healthcare professionals to be HIPAA compliant, but now their IT services, accountants, and even software developers who conduct business with these covered entities are held to the standards of HIPAA.
While there is a bit of overlap between the PCI DSS and HIPAA, compliance with one is nowhere near compliance with both. While they are both pretty exhausted for their respective industries, entities within the healthcare industry are required to maintain compliance with both in order to do business. Below we will briefly outline the requirements of both and identify some key differences.
Payment Card Industry Data Security Standards (PCI DSS)
PCI DSS is made up of 12 key requirements to ensure secure data transfer when processing online payments online. These 12 requirements are as follows:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Health Insurance Portability and Accountability Act (HIPAA)
In contrast, the requirements of HIPAA have much less to do with payment information and more to do with a person’s PHI. The requirements of HIPAA are as follows:
- Appoint a Privacy Officer
- Privacy Policies
- Security Procedures
- Business Associate Agreements in Place
- Annual Training
- Regular Risk Assessment
- Established Breach Notification Protocol
As you can see, PCI DSS goes into much more detail and has quite a few more regulations than HIPAA in regard to the respective data at hand. Because payment information is considered PHI, the HIPAA requirements do apply to payment information however they do not encompass all the requirements of PCI DSS. As seen, there are quite a bit more regulations on payment card information than protected health information. One could make the argument that payment card information is vastly more important to secure ove rPHI however, according to experts, PHI is between 10 and 20 more valuable than a credit card number when sold online. Because of this, other countries and even states have noticed the need for increased security measures for PHI and have introduced more stringent policies such as GDPR in the EU or CCPA in California to name a few that build on the foundation set by HIPAA. With the value of PHI much higher than that of payment card numbers and legislation being a bit more up in the air, this does create a market need for
Ultimately, PCI DSS and HIPAA both aim to secure entirely different types of information while attempting to meet a similar need: data security. While there is a degree of overlap, it is not enough to constitute any sort of real benefit from focusing on one over the other. In fact, simply becoming compliant for either leaves you exposed to noncompliance in the event of an audit.