PII, PHI, PCI: Understanding the Differences for Compliance

By Fred Maldonado (Director | CISA, CISSP) Published on CONTACT AUDITOR
PII vs PHI vs PCI: Key Differences and Compliance Strategies

Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are all information requiring heightened controls to protect the owning person from exploitation.

In 2024, several high-profile data breaches exposed sensitive information, highlighting the ongoing struggle to protect PII, PCI, and PHI. In March, AT&T was breached, compromising data from 7.6 million current and 65.4 million former customers, including sensitive information such as Social Security numbers and account passcodes​. In May, Dell saw the personal details of 49 million customers, including addresses and order data, fall into the hands of hackers​. Similarly, Bank of America was impacted by a ransomware attack in February, which exposed over 57,000 customers’ Social Security numbers and credit card information. A notable breach of Protected Health Information (PHI) occurred in the MOVEit hack, where healthcare organizations such as Johns Hopkins and the U.S. Department of Energy had confidential medical data compromised​.

These incidents emphasize that organizations must remain vigilant in safeguarding each unique type of sensitive information. The responsibility of deciding what, how, and when to protect this data is not just a regulatory requirement but a core obligation to their clients to prevent exploitation.

What are PII, PCI, & PHI?

Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are useful data collected by organizations to transact on behalf of the data owner.  Each has unique characteristics and protection requirements, but are also similar in the nature of their use.

 

What is PII?

Personal Identifying Information (PII)

Personal Identifying Information (PII), not to be confused with the most famous mathematical constant, is sensitive data that is owned by a unique person and can identify them when used by itself or in conjunction with other information stored by an organization. It is important for organizations to recognize that PII goes beyond common details, i.e., name, address, phone, SSN, and expands to additional data stored that could inadvertently be used together and expose PII accidentally.

What are Examples of PII?

  • Full Name
  • Address
  • Social Security Number
  • Driver’s License or Passport Number
  • IP addresses (in certain contexts)

Additionally, combinations of information could also be considered as PII, such as:

  • Mother’s Maiden Name + Place of birth = could result in Full Name + Date of Birth within public records

PII is considered the front door for fraudulent behavior and is the most common information that requires heightened risk identification, mitigating controls, and ultimately an assurance of control design and effectiveness by an external auditor through a SOC 2, HIPAA, or PCI DSS engagement. It is highly regulated by laws such as GDPR, HIPAA, and CCPA to ensure privacy and protection against misuse.

 

What is PCI?

Payment Card Industry (PCI)

Payment Card Industry (PCI) information is any data that is used during a payment card transaction and overlaps to include PII, so yes, PCI does include PII. This data is typically associated with the financial services sector.

The Payment Card Industry Data Security Standard (PCI DSS) is now in version 4.0, which introduces stricter requirements for securing cardholder data, such as Primary Account Numbers (PAN), cardholder names, and sensitive authentication data like CVV and PIN codes. New controls emphasize encryption, strong cryptography during transmission, and updated security measures for handling cardholder data​.

PCI DSS compliance is mandatory for any entity that stores, processes, or transmits credit card information​. Due to continued changes to the governance of PCI information under the Payment Card Industry Data Security Standard (PCI-DSS) requirements, all organizations accepting or processing credit cards as payments should be knowledgeable about the requirements to safeguard PCI information.

PCI-DSS today is made up of 6 objectives:

  1. Build and Maintain a Secure Network and Systems
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement Strong Access Control Measures
  5. Regularly Monitor and Test Networks
  6. Maintain an Information Security Policy

The above objectives are accomplished through an organization’s control framework.

Several other regulations also require controls around financial information similar to PCI-DSS, for example, the Gramm-Leach-Bliley Act (GLBA). While requirements are clear for cardholder data, a breach would cause inappropriate access and expose the owner of the information to potential financial exposure and fraud.

What are Examples of PCI?

  • General PII information (see above)
  • Primary Account Number (PAN): The unique number on a payment card, often referred to as the card number.
  • Cardholder Name: The name of the individual authorized to use the payment card.
  • Expiration Date: The date the card becomes invalid, typically printed on the card.
  • Service Code: A three- or four-digit code on a card that specifies acceptance requirements and limitations.
  • Sensitive Authentication Data (SAD): Includes details like full magnetic stripe data, card verification codes (CVC, CVV), and PINs used during authentication.

Again, organizations storing PCI information that is combined with PII need to consider all information as one.

Learn more about PCI from these blogs:

 

What is PHI?

Protected Health Information (PHI)

Protected Health Information (PHI) is the most exploited personal information in the modern day. PHI is unique because of the breadth of data that could be considered PHI and protected under the Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR).

PHI is considered any information on a person’s health. This includes ePHI or (Electronic Protected Health Information) which is a subset of PHI that specifically refers to PHI stored or transmitted in electronic form. This includes digital records, emails, electronic health records (EHRs), and data transmitted over the Internet or via other electronic means.

What are Examples of PHI?

  • General PII information (see above)
  • Billing Information
  • Health Insurance Information
  • Dates of service for health visits
  • Social Security Number (SNN) or Medical Record Number (MRN)
  • Diagnosis and Treatment Information 
  • Correspondence between provider and patient

These types of data are critical to protect under regulations like HIPAA, especially when in electronic form (ePHI).

PHI can also include PII and can exist in any format (paper, electronic, verbal) while ePHI is PHI specifically in an electronic format, which has additional security requirements under HIPAA regulations. Organizations should consider all datasets being collected and retained for controls.

Check out our other articles on PHI and the GDPR to learn more:

 

PII, PCI, and PHI data protection

How Should Your Organization Protect PII, PCI, & PHI?

A multi-layer approach that combines sound business processes aligned with robust technology controls has been proven the best way to protect personal data that falls within PII, PCI, and PHI. In general, PCI DSS, HIPAA, GLBA, and GDPR are rooted in the following general control areas:

  • Governance or Administrative: Processes that guide an organization to do the ‘right’ thing when handling PII, PCI information, and PHI.
  • Data management: The protection of personal data during creation, use, and distribution. This includes implementing data retention and disposal policies that govern the secure deletion or destruction of sensitive information, using methods like data wiping for electronic records and shredding for physical documents to prevent unauthorized recovery of sensitive data.
  • Data Encryption: Encrypting data at rest, such as files and databases, helps protect it from unauthorized access in case of a breach, while encrypting data in transit ensures that information sent over networks is secured. Using secure protocols like TLS/SSL is essential for protecting data during communication between systems.
  • Robust Security Measures: Deploying robust security measures, such as firewalls and intrusion detection systems (IDS), helps protect networks from unauthorized access and detect potential breaches. Regularly updating systems and applications with security patches minimizes vulnerabilities. Additionally, data masking and tokenization can further reduce the risk of exposure by obscuring sensitive data when it is not needed in its full form.
  • Regular Audits and Monitoring: Continuous monitoring ensures real-time detection of suspicious activities, while regular internal and external audits, such as SOC 2, HIPAA, or PCI DSS assessments, help validate the effectiveness of security controls and identify potential weaknesses in the system.
  • General Technology Controls covering: 

Each unique organization will have unique controls specific to their environment that deliver multi-layer protection – there is no same size fits all.

 

Auditing PII, PCI, and PHI data compliance

What Types of Audits Cover Data Under PII, PCI, & PHI?

Auditing each of the above information types is required based on an organization’s industry and product. Additionally, requirements within GDPR, GLBA, and HIPAA all regulate the use, storage, and distribution of each type of information.

A traditional audit approach will include:

  • Readiness Assessment of the current controls against expected controls as defined in PCI DSS, HIPAA, or the common criteria used for SOC 2.
  • Gap Remediation based on readiness assessment results
  • Test of Design audit against the identified controls and based on the expected controls in-scope. Lastly, a SOC 2, HIPAA, or PCI DSS audit to test the effectiveness of the organization’s actual controls.

A PCI audit is specific to the requirements outlined under the PCI DSS, while a HIPAA audit covers the PHI data specifically and is required to practice in the healthcare service space.

The ISO/IEC 27001 audit is the international standard for information security management systems (ISMS) and focuses on a broad range of sensitive data, including PII, PCI, and PHI. ISO/IEC 27001:2022 audits evaluate the organization’s security framework, policies, and controls to protect data from unauthorized access and breaches.

Organizations often are forced into multiple types of audits, like SOC 2, ISO/IEC 27001:2022, PCI DSS, and or HIPAA+. Efforts are made continuously to reduce resource fatigue with multiple audits across the calendar year, utilizing GRC tools like Vanta which align controls based on requirements. Planning compliance efforts directly with your auditor and keeping control scope based on PII, PCI, and PHI requirements in the forefront is the most efficient way to create a successful plan that covers all areas.

Summary

Protecting PII, PCI information, and PHI is not only required by regulations to do business in specific sectors, it is also the right thing for organizations and their commitment to their clients.

At this time Linford & Co. does not perform PCI audits; however, we specialize in SOC 1 audits, SOC 2 audits, and HIPAA+ examinations. Please contact us for further information to determine if an audit is the right decision for your organization.

This article was originally published on 8/17/2022 and was updated on 9/18/2024.

Related Posts: