The Green Sheet Online Edition
October 25, 2010 • Issue 10:10:02
HIPAA and PCI: How do they compare?
Data privacy and security have received significant press coverage in recent years - and for good reason. It's crucial to continually promote Payment Card Industry (PCI) Data Security Standard (DSS) compliance, as well as Health Insurance Portability and Accountability Act (HIPAA) compliance, because most entities - private and public, nonprofit and governmental - are still not doing enough to protect sensitive data.
It's not the hard documents fraudsters are after. They prefer digital data because they don't need access to their victims' physical locations to obtain it. A skilled fraudster can break into business servers and steal sensitive card information from across the world.
Theft of digital documents also does not require grabbing original files. For example, when a physician's office is broken into, paper records were usually stolen, and that is the telltale sign of a break in. With digital theft there is no paper trail; data can be duplicated instantly without disruption or notice.
The importance of control
Control measures are one of the most important parts of maintaining secure business practices. The human element is the hardest part to control. This is where PCI and HIPAA compliance come in.
The PCI DSS restricts access to cardholder data to minimize the risk of sensitive data being stolen. Access should be limited to people who have a business case for access. Also, each authorized person must present a unique ID before being able to view the information, and a full audit trail for access must be in place.
PCI requirements are tiered; the amount of data to be protected will affect the level of PCI compliance a given business must meet. HIPAA covers all health care providers who have access to and store sensitive medical data. The PCI DSS covers anyone who processes and stores credit card information.
The rigors of PCI
To obtain full PCI compliance one must follow certain actions. While HIPAA's guidelines are more than three times larger than the PCI DSS, HIPAA does not so much explicitly set forth specific actions as provide processes to help determine what to do. HIPAA distinguishes between "required" and "addressable" actions and seems to emphasize general rules overall, while PCI DSS guidelines are direct and specific, making PCI compliance a more rigorous and intensive process. For instance, a network administrator of a hospital billing system that contains both credit card and medical information must ensure that the hospital's system is both HIPAA and PCI compliant. Here is an example of what each standard requires.
PCI DSS standard 8.3 stipulates that remote system-level access must use two-factor authentication (commonly, a password and an ID badge or time card). However, someone with application-only access is not mandated to use strong, two-factor identification.
HIPAA requires three steps: determine the authentication applicability, evaluate options, and select and implement the option. (This rule is for someone with access to the whole record or system.)
The risks of noncompliance
Protecting cardholder and patient data is extremely important. Those who process, store or transmit credit card data must be PCI compliant.
Failure to be compliant can result in costly fees, including additional fees from merchant banks, and even the loss of the ability to process credit cards. This can be devastating to any business.
Merchants seeking PCI DSS compliance must take many things into consideration. It is their responsibility to find service providers who are and will remain PCI compliant. Said providers must offer safe, reliable solutions for merchants; they must also be vigilant about maintaining PCI compliance.
In addition, merchants must realize PCI compliance involves more than partnering with a compliant service provider. It also requires a potential change in their business practices. Failure to adapt can cause more fees and fines.
A possible collaboration
Given the distinct approaches of PCI and HIPAA requirements, it is easy to conclude the PCI DSS guidelines are more strict and precise than the HIPAA guidelines. Could the organizations responsible for managing the HIPAA and PCI standards create a joint venture to ease the compliance process for merchants and ISOs? Would such a joint venture help you?
Nicholas Cucci is the Marketing Director for Network Merchants Inc. He is a graduate of Benedictine University. Prior to joining NMI, Cucci worked in the payment processing division for a Fortune 500 company and has advised several large retailers on credit card fraud protection, screening and risk assessment. He can be reached at firstname.lastname@example.org or 800-617-4850.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.