Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are all information requiring heightened controls to protect the owning person from exploitation. This year alone has seen significant breaches of personal data from Aon (insurance provider), MCG Health (health management system), and Block (cash application/payment processor), impacting roughly 9 million customers. What, how, and when to protect each unique type of information is an obligation of the organization to its clients.
What are PII, PCI, & PHI?
Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are useful data collected by organizations to transact on behalf of the data owner. Each has unique characteristics and protection requirements, but also are similar in the nature of its use.
Personal Identifying Information (PII)
Personal Identifying Information (PII), not to be confused with the most famous mathematical constant, is sensitive data that is owned by a unique person and can identify them when used by itself or in conjunction with other information stored by an organization. It is important for organizations to recognize that PII goes beyond common information, i.e., name, address, phone, SSN, and expands to additional data stored that could inadvertently be used together and expose PII accidentally.
What are Examples of PII?
- Full Name
- Address
- Social Security Number
- Driver’s License or Passport Number
Additionally, combinations of information could also be considered as PII, such as:
- Mother’s Maiden Name + Place of birth = could result in Full Name + Date of Birth within public records
PII is considered the front door for fraudulent behavior and is the most common information that requires heightened risk identification, mitigating controls and ultimately an assurance of control design and effectiveness by an external auditor through a SOC 2, HIPAA, or PCI DSS engagement.
Payment Card Industry (PCI)
Payment Card Industry (PCI) information is any data that is used during a payment card transaction and overlaps to include PII, so yes, PCI does include PII. This data is typically associated with the financial services sector. Due to continued changes with the governance of PCI information under the Payment Card Industry Data Security Standard (PCI-DSS) requirements, all organizations accepting or processing credit cards as payments should be knowledgeable about the requirements to safeguard PCI information.
PCI-DSS today is made up of 6 objectives:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
The above objectives are accomplished through an organization’s control framework.
Several other regulations also require controls around financial information similar to PCI-DSS, for example, the Gramm-Leach-Bliley Act (GLBA). While requirements are clear for cardholder data, a breach would cause inappropriate access and expose the owner of the information to potential financial exposure and fraud.
What are Examples of PCI?
- General PII information (see above)
- Credit Card Number
- Credit Card Chip PIN
- Card Holder Name
Again, organizations storing PCI information that is combined with PII need to consider all information as one.
Learn more about PCI from these blogs:
- What is PCI Compliance?
- SOC 2 vs PCI DSS: What’s the Difference?
- PCI and SOC 2 Audit Requirements: Combining PCI & SOC 2 Audits
Protected Health Information (PHI)
Protected Health Information (PHI) is the most exploited personal information in the modern day. PHI is unique because of the breadth of data that could be considered PHI and protected under the Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR). PHI is considered any information on a person’s health.
What are Examples of PHI?
- General PII information (see above)
- Billing Information
- Insurance Information
- Dates of service for health visits
- Details of service, including test results
- Correspondence between provider and patient
PHI can also include PII – again, an organization should consider all datasets being collected and retained for controls.
Check out our other articles on PHI and the GDPR to learn more:
- Does HIPAA Prohibit the Sending of ePHI via Email?
- De-Identification of Personal Information: What is It & What You Should Know
- GDPR Compliance Checklist: Key Tasks for Organizations to Complete
- SOC 2 Privacy vs. GDPR: Personal Data Audit Considerations & Compliance
How Should Your Organization Protect PII, PCI, & PHI?
A multi-layer approach that combines sound business processes aligned with robust technology controls has been proven the best way to protect personal data that falls within PII, PCI, and PHI. In general, PCI DSS, HIPAA, GLBA, and GDPR are rooted in the following general control areas:
- Governance or Administrative – Processes that guide an organization to do the ‘right’ thing when handling PII, PCI information, and PHI.
- Data management – The protection of personal data during creation, use, and distribution.
- General Technology Controls covering:
- Physical and Logical Access
- Technology Change and Incident Management
- Business Continuity and Disaster Recovery
- System Development Lifecycle
- Information Security
Each unique organization will have unique controls specific to their environment that delivers multi-layer protection – there is no same size fits all.
What Types of Audits Cover Data Under PII, PCI, & PHI?
Auditing each of the above information types is required based on an organization’s industry and product. Additionally, requirements within GDPR, GLBA, and HIPPA all regulate the use, storage, and distribution of each type of information.
A traditional audit approach will include:
- Readiness Assessment of the current controls against expected controls as defined in PCI DSS, HIPAA, or the common criteria used for SOC 1 and SOC 2.
- Gap Remediation based on readiness assessment results
- Test of Design audit against the identified controls and based on the expected controls in-scope.
- Lastly, a SOC 1/2, HIPAA, or PCI DSS audit to test the effectiveness of the organization’s actual controls.
A PCI audit is specific to the requirements outlined under the PCI DSS, while a HIPAA audit covers the PHI data specifically and is required to practice in the healthcare service space.
Organizations often are forced into multiple types of audits, like SOC 2, PCI DSS, and HIPAA+. Efforts are made continuously to reduce resource fatigue with multiple audits across the calendar year, utilizing GRC tools like Vanta which align controls based on requirements. Planning compliance efforts directly with your auditor and keeping control scope based on PII, PCI, and PHI requirements in the forefront is the most efficient way to create a successful plan that covers all areas.
Summary
Protecting PII, PCI information, and PHI are not only required by regulations to do business in specific sectors, it is also the right thing for organizations and their commitment to their clients.
At this time Linford & Co. does not perform PCI audits; however, we specialize in SOC 1 audits, SOC 2 audits, and HIPAA+ examinations. Please contact us for further information to determine if an audit is the right decision for your organization.
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.