If you need to be HIPAA compliant, the best thing to do is get certified under PCI DSS. Need SOC 2 certification? Get PCI compliant first. ISO 27001? You guessed it: leverage PCI.
PCI DSS (Payment Card Industry Data Security Standard) is a certification designed for companies that take credit card payments. So why the heck would you go up against PCI if you don’t collect credit card data?
Because PCI DSS makes nearly every other security standard easier to leverage, takes work off your plate, and can be leveraged internally or with a Consultant without needing to expend money on an Assessor right out of the gate.
Why PCI Compliance Makes Sense
PCI is one of the most prescriptive standards available. It tells you exactly how to do things and exactly what’s expected of you. It’s rigid and rigorous — and that’s what makes it so much easier to leverage than other security standards.
Let’s say you just need to be compliant with HIPAA or SOC 2. These standards are highly flexible and they allow you to customize your own controls. You’re in charge and you decide how you’ll fulfill the standards’ requirements. If you take any number of SOC 2 engagements and compare them to each other, not a single report will look the same as another one, since each organization has chosen to approach the controls implemented to meet the criteria differently.
But the quality of the engagement comes down to who your Assessor is and how thorough they are in ensuring that the criteria is fully covered. With HIPAA in particular, there’s no governing body to validate that you’re compliant. So there’s a lot of latitude and variability in approaching the standard.
The less prescriptive standards give you more flexibility, but that makes the process more complicated and uncertain. You have to figure out everything for yourself, and when it’s all said and done, you won’t know for sure whether your efforts are rigorous enough for real-world cyber risks.
But with PCI, you have very prescriptive controls for everything you do — how to handle access control, what you need to do with your firewalls, how to set up antivirus — you name it. You have a series of built-in directives that leave no room for doubt, and you know exactly what it takes to keep your organization adequately protected.
Even if you don’t collect credit card information, there are many benefits to achieving PCI compliance. You can take the framework of PCI and leverage it for protecting your sensitive data instead of credit card data.
On the other hand, if you start with a less prescriptive standard and later add a more prescriptive one, you’re bound to redo the controls you previously put in place. What passed muster under HIPAA won’t cut it for CMMC or PCI DSS. If you started with PCI to begin with, you automatically have your technical control framework covered for HIPAA and many other standards you go up against down the road.
Even if you don’t need PCI DSS itself, by leveraging PCI you’re actually making it easier to go up against the flexible standards you may need now or in the future. Here’s why…
PCI Compliance Makes Other Certifications Easier
Because PCI DSS is so prescriptive and comprehensive, that means it’s readily mapped to other certifications. For example, you can easily layer PCI on top of a HIPAA certification. It’s amazingly easy to do, because PCI inherently requires almost everything that falls under the technical and policy requirements of HIPAA. If you’re compliant with PCI, you’re 95 percent of the way to HIPAA compliance, even before the gun goes off.
The time and effort you save by following PCI allows you to effectively kill two certifications with one stone, and to do it without losing time.
The same goes for most other common security standards — whether you’re leveraging SOC 2, NIST, CMMC, ISO or something else. There will be a few items that don’t fall directly under PCI, but your time to complete the secondary certification is now optimized.
This is huge, especially for organizations that have multiple standards to comply with. Do the work once, and you’re essentially covered for the bulk of your other standards. PCI maps neatly on top of almost any new standard you might need to comply with.
The totality of your controls from PCI alone, plus secondary leftovers from additional standards, sets your organization up nicely to take on the next new standard you are required to integrate into your compliance matrix
One Certification to Rule Them All
The long term benefits of investing in PCI certification first can be measured for years. For example, you may discover two years from now that you have a new opportunity to expand into the healthcare industry, but you need to be HIPAA compliant to win those customers.
With a PCI certification, you can quickly pivot and become HIPAA compliant in a tiny fraction of the time it would normally take. Because of your foresight years ago, PCI compliance allows you to enter a new market without slowing down.
I was recently on a call with a client. They’re currently compliant with PCI and HIPAA, and they want to add a criminal justice certification (CJIS), CMMC, and SOC 2. Because PCI gives them a solid foundation of controls that they started out on, they’re in a position to easily fold in these secondary standards.
The investment they put into PCI DSS years ago continues to pay off as they far easier seize new opportunities they face.
Does PCI Certification Make Sense for You?
When I founded Total Compliance Tracking, one of the first things I did was leverage PCI DSS, even though we weren’t taking credit card data at the time. I made the decision to do whatever I could to protect my organization. It’s my job to protect my company and the clients who depend on us, as well as the people who work for TCT. And I take that responsibility seriously.
Likewise, the overall strength of your security and compliance program is bar none the most important element of your job. Cyber liability insurance won’t keep you secure, it’ll only lessen the monetary losses after a disastrous event strikes your business.
Becoming PCI compliant is perhaps the single most effective way to proactively protect your company’s sensitive data from a breach — even if you don’t process credit card information. In light of that, why wouldn’t you leverage compliance with the PCI DSS?