PCI DSS & HIPAA Compliance
The Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA) have far-reaching implications for businesses that work with either cardholder data or patient health information. Remaining compliant is vital for organizations that want to protect their customers and serve as trusted industry leaders. Learn how Flexential Professional Services can support your compliance efforts so you can be more confident and efficient and enabled to stay focused on bottom-line initiatives.
The Importance of PCI DSS & HIPAA Compliance
PCI DSS and HIPAA are concerned with different types of data. The purpose of PCI DSS is to protect cardholder data and the purpose of HIPAA is to protect protected health information. Read on to learn about PCI DSS and cardholder data or skip ahead to cover HIPAA and protected health information.
What is PCI DSS Compliance?
The Payment Card Industry Data Security Standard is required for all businesses that handle or come into contact with credit card information. No matter the industry or size, any company that processes, stores, or transmits credit card information must be PCI DSS compliant. PCI DSS is administered and managed by the PCI Security Standards Council (PCI SSC), an independent body created by Visa, MasterCard, American Express, Discover, and JCB International. In short, PCI DSS aims to protect the entire payment card ecosystem, ensuring that sensitive cardholder data is secure and unable to be leaked or stolen.
Benefits of PCI DSS Compliance
The first benefit to PCI DSS compliance is that the cardholder data your organization comes into contact with is secure and protected. The benefits that follow include
• Customer and partner trust - customers that engage with your business—and potential partners—will want to know that you’re compliant with the industry-accepted level of security for sensitive credit card data.
• Connection to a global payment security solution - you’re helping to prevent future data breaches or theft as a tested link in the chain.
• A better IT infrastructure - placing safeguards and encryption on key data systems makes your data and IT infrastructure more secure.
Penalties for PCI DSS Non-Compliance
Failing to achieve or maintain PCI compliance can result in:
• Costly fines and inability to process credit card transactions - organizations that failed to keep their cardholder data secure have faced substantial fines. Some organizations have also been prohibited from processing transactions.
• Loss of trust and future sales - both partners and customers are likely to sever ties with an organization that fails to keep sensitive data safe.
• Increased risk for connected merchants and financial institutions - if your chain link isn’t compliant, you can make security more complicated for partners or institutions connected to you.
What are the Requirements for PCI DSS Compliance?
There are 12 requirements for PCI DSS compliance:
1. Maintain firewalls - firewalls are the first line of defense against hackers or accidental leaks; they block access to sensitive data from foreign or unknown entities.
2. Password protection - the device(s) your business uses to store, transmit, or process cardholder data–routers, modems, point of sale (POS) systems–generally come out of the box with generic passwords; you should change them to something secure and maintain a protected device/password inventory.
3. Data protection - the card data you come into contact with should feature encryption put into place by encryption keys–which should themselves be encrypted; regular scanning of primary account numbers (PAN) is also required to ensure all data is encrypted.
4. Transmission protection - cardholder data rarely stays in one place; while being sent through channels like payment processors or even home offices, the data must stay encrypted during transit.
5. Maintain anti-virus - anti-virus software is required–and should be regularly updated–for all devices that interact with cardholder data.
6. Updated software - software of all kinds receives patches and updates that include new security measures; you need to ensure that all devices receive those updates as soon as they’re available.
7. Restrict access - it’s unlikely that everyone at your business needs access to cardholder data; the specific roles that do should be well-documented and regularly updated.
8. Access IDs - for those who have access to encrypted data, unique credentials and passwords are required; there should never be a shared login for multiple employees with access to cardholder data.
9. Secure location(s) - Data that is physically written or typed or kept on a server or hard drive should be locked in a secure room, drawer, or cabinet; access to it should be limited and logged for compliance.
10. Maintain access logs - all activity that interacts with cardholder data should be logged; there should be clear documentation of how data is moving around your organization and when access is needed.
11. Scan and test - All aspects of compliance–software, physical locations, employee training–should be regularly tested; there are often unforeseen malfunctions or oversights that compromise data safety.
12. Document policies - there should be clear documentation and rules for the 11 previous requirements, including inventories, logs, software, updates, employees with access, and training protocols.
How to Become PCI DSS Compliant
No matter your organization’s size, maintaining PCI DSS compliance can be a major lift. You can devote in-house time and resources with full-time PCI and compliance experts to assist with the above 12 requirements. But if you lack the staff and need to focus more on key initiatives and growth, Flexential Professional Services can provide reports, attestations, guidance, and more to support your compliance efforts.
Flexential’s PCI Qualified Security Assessors (QSAs) provide:
• Report on Compliance (RoC)
• Attestation of Compliance (AoC)
• Expert SAQ assistance,
• Validated PCI scopes,
• Identified compliance risks,
• Ethical hacking for penetration-testing of cardholder data environments (CDE)
What is HIPAA Compliance?
While PCI DSS is concerned with credit card data, HIPAA is concerned with protected health information (PHI).
PHI includes any information, including demographic information, which relates to an individual’s past, present, or future medical condition(s); the past, present, or future health care provided to that individual; and the past, present, or future payment for health care services received. PHI also includes common identifiers like name, address, birth date, and social security number.
In short, HIPAA is about keeping people’s healthcare data protected and secure. It’s generally broken down into two key rules, the Security Rule (PHI must be protected and encrypted) and the Privacy Rule (patients have a right to see and request copies of their medical and health records maintained by their providers and health plans).
Those who must abide by HIPAA include:
• Covered entities – all those in a healthcare field that use or have access to PHI, including doctors, nurses, and insurance companies.
• Business associates - individuals or organizations that work alongside a covered entity in a non-healthcare capacity, like lawyers, accountants, and IT personnel.
Benefits of HIPAA Compliance
Just like PCI and cardholder data, HIPAA compliance first and foremost protects the privacy of sensitive information. Patients need their protected health information to be secure and accessible only by those who require it for their job, like healthcare providers or insurance companies. Other benefits to HIPAA compliance include
• Establishing safeguards that providers and business associates must achieve to handle and transmit PHI,
• The ability to hold violators accountable through fines or penalties if a patient’s private data is leaked or stolen,
• Setting guidelines for when disclosure of certain health data is important, like in service of public health.
Penalties for HIPAA Non-Compliance
The accidental leak of PHI is a serious violation that brings civil penalties based on a tiered system of how much “willful neglect” was at cause. As of 2022, this includes tier 1 fines of a minimum of more than $100 per violation, up to tier 4 fines of a minimum of ~$60,000 per violation.
Additionally, HIPAA violations can result in criminal charges if a healthcare professional or business associate knowingly obtained or used PHI for reasons not permitted by the HIPAA Privacy Rule. This can include the selling of patient data or wrongful disclosure of PHI with the intent to cause harm.
And just like PCI non-compliance, HIPAA violations can result in:
• Loss of trust from partner organizations or consumers,
• Weakened safety across the entire “chain” of connected entities that deal with PHI, and
• Costly fines and legal expenses as violations and penalties build.\
What are the Requirements for HIPAA Compliance?
The steps below comprise some of the most essential components of HIPAA compliance.
Determine which systems create, receive, maintain, or transmit PHI, and “silo” them from other parts of your organization’s IT infrastructure.
1. Conduct an inventory of these systems and devices and have a record of how PHI moves between them.
2. Ensure all devices that work with PHI have password or PIN protection and auto logoff capabilities.
3. Introduce additional measures like internet filters or e-mail encryption that mitigate threats from malware or phishing attempts.
4. Determine which employees need access to PHI and use role-based access controls that limit what they need to see for their specific role.
5. Create a verification system that identifies who is accessing PHI and ensures they are complying with security requirements.
6. Create a process for authorized employees to report or escalate security incidents involving PHI.
7. Create training for all employees that includes security concerns and incident reporting procedures.
8. Develop a contingency plan for future threats that may impact PHI and a sanctions policy made available to all employees.
9. Review existing business associate agreements that feature or relate to disclosures of PHI.
10. It’s also a good idea to designate a HIPAA Security Officer that will oversee and manage the steps above; in larger organizations, this may be a member of the IT team.
You can also read more about how HIPAA compliance works in cloud solutions or how to maintain HIPAA compliant during disaster recovery.
How to Become HIPAA Compliant
Just like PCI compliance, HIPAA compliance can be a complex, often moving target that requires dedicated hours and full-time compliance experts. And as regulations get updated, you need to react quickly to maintain compliance with PHI.
To make compliance easier and cost-effective, Flexential Professional Services can provide verification, guidance, and certification to establish and maintain HIPAA compliance.
• Flexential’s HealthCare Information Security and Privacy Practitioners provide
• Comprehensive risk and compliance assessments,
• Actionable and prioritized remediation guidance,
• Assistance to proactively manage HIPAA compliance.
• Improved protection of PHI and reduced financial and reputational risk.
• Increased security for decreased risk of fraud or abuse
Both PCI DSS and HIPAA demand expert guidance and have strict requirements for compliance. Achieve and maintain your organization’s mandated compliances by leveraging Flexential’s expertise across industry standards and regulations and get back the time you need for strategic initiatives and growth.
Reach out today to start the discussion and get a quote.