Believe it or not, one of the most important challenges in the last 2 decades facing the electronic payment industry is the problem regarding security requirements for various industries. Many people forget or tend to overlook and assume that only the Payment Card Industry Data Security Standard (PCI DSS) faces this challenge but the truth is that the problem is much bigger. In fact there are several security standards that are being used on a current basis.
To host your web site with a premium HIPAA and PCI Compliant Host click here
Due to its huge popularity and success, PCI DSS is becoming mistaken with the entire industry. The fact of the matter is that there are also other security standards such as HIPAA (the Hospital Insurance Portability and Accountability Act) of 1996 Title II, FACTA (Fair and Accurate Transaction Act) of 2003, the Graham-Leach-Bliley Act of 1999 and the Sarbanes Oxley Act of 2002. From these federal regulations only one stands out due to its popularity among merchants and the industry that it serves. HIPPA consists of two Titles, Title I deals with health insurance coverage for employees and their relatives while Title II deals with national standards for electronic health care transactions and the information associated with these transactions such as identification information for providers, health insurance plans, etc.
Many experts agree that the two compliance standards share many similarities and that they are also codependent. Both the Health Insurance Portability and Accountability Act (HIPAA) privacy standards and the Payment Card Industry Data Security Standards (PCI-DSS)strive to minimize risk exposure but if you take a careful look you will observe that they try to achieve this thorough subtle different ways.
For example:
-
PCI-DSS classifies those covered by the requirements in tiers, and those tiers are determined according to the amount of sensitive data covered. On the other hand HIPAA doesn’t classify them or at least not in a very clear way.
-
Another example of differences can be illustrated by the size of the requirements documents. PCI structures all the requirements together with workflows, charts and other material in a single document made of 73 pages. In the other case, HIPAA choose to decentralize their requirements in 9 separate documents which together make up for almost 200 pages.
-
PCI is very strict when it comes to its requirements whereas HIPAA separates their specification in two different categories depending on the level of reinforcement. The two categories are addressable and required. Addressable specifications mean they are not mandatory but they must be assessed for each individual separately. Required specifications are the ones that must be implemented
-
You can already observe a trend from the comparisons made above; the trend is that PCI is strict about its requirements whereas HIPAA just give some general guidelines.
If we take a closer look at these two standards and analyze them we can observe that these differences come from their very nature. The most important difference of all is that PCI-DSS is supported by a private institution which is the Payment Card Industry which in turn is supported by important companies such as American Express, Mastercard and Visa whereas HIPAA is supported by the government. It came to be due to political requirements. The reason for these two institutions to be created is fundamentally different and this echoes other differences. PCI was developed to ensure card companies that their products were secure and efficient so that people will use them and generate profit for the parent companies whereas HIPAA was created presumably out of need, but at its core was the desire of a man to be reelected.
Then again they also share some common principles. One of the most important is the implementation principle. In both cases poor implementation or the lack of knowledge regarding the requirements lead to a potential disaster. In both cases, the mistakes of merchants are severely punished because through their own mistakes they put the entire system (HIPAA or PCI) at risk and that is not tolerated. Another important common principle is the desire to make their system as safe as possible, to offer their clients the best possible experience although they achieve this through different means. Both standards share similar policies regarding, information access, management of the security process, assignment of security responsibility, contingency planning workstation use and disposal requirements and many more.
In conclusion the two systems are fundamentally different due to the fact that one is state owned and the other is privately owned but this doesn’t mean they do not have similarities. As I have showed previously they share common policies but they apply them differently.
