Unraveling the Differences Between PII, PCI, and PHI

PII, PCI, and PHI are all important topics when it comes to data and IT. Understanding the differences and similarities can help identify and protect this data. In this article, we will look at each of these three topics in detail.

Personally Identifiable Information

The first topic is PII. PII stands for “Personally Identifiable Information.” This information is used to identify an individual person. For example, PII is any sort of unique information that can be traced back to you. This can range from your name, address, email address, or date of birth (DOB) to your driver license number, Social Security Number (SSN), and credit card numbers. It is very important that you protect this information and limit who this information is provided to. Some of this information might already be public, such as your name and address. Asking yourself if the party requesting this information actually needs it can help determine what information you should provide. Identity theft could occur if someone gets access to multiple components of your PII.

Payment Card Industry

The second topic is PCI. PCI stands for “Payment Card Industry.” Another popular related acronym is PCI DSS, which stands for “Payment Card Industry Data Security Standards.” PCI DSS ensures that all entities that use point of sale (POS) devices, internet connection, and online shopping websites have standards in place to protect their customers. If PCI controls are not in place, your credit/debit card information could be stolen at any one of those locations. PCI DSS also protects cardholders’ data through technical and operational requirements. A PCI breach could happen when you use your credit/debit card to purchase something and there is a lack of controls in place on the POS devices or a lack of protection on your personal device, internet connection, or online shopping websites. Due to credit/debit cards being the number one-way purchases are made today, PCI DSS was put into place to protect cardholders.

Public Health Information

The third topic is PHI. PHI stands for “Public Health Information.” This type of information is related to health information that targets you demographically. This information could include your health information from physicians, healthcare providers, insurance companies and payment processors. HIPPA (Health Insurance Portability and Accountability Act) was enacted to help protect this kind of information. It is against HIPPA for medical professionals to give out any patient information to anyone who is not authorized to receive it. If this type of information were to be released, it could be exploited by bad actors.

Now that we have defined and noted the differences, we will cover the similarities of PII, PCI and PHI. All three consist of similar information, such as, SSN, address, DOB, name, and address. A healthcare provider will often retain this information on you for billing and insurance purposes. Additionally, when signing up for an online account you will almost always be asked to enter PII information to receive whatever it is you are purchasing. Depending on your purchase, sometimes PHI could come into play in order for an entity to get demographic data on their users. When providing this information, it is important to question, “Does the vendor need this information?,” before inputting or answering questions. Entities understand it is very important to keep their customers’ PII, PCI, and PHI confidential in order to keep their customers’ business and show that they value them.

PII, PCI and PHI information are all important and should be protected. Controls to protect this information can include enacting policies for classifying and distributing information, limiting access to this information, and encrypting this data. Compliance related audits will review the controls in place at a company and ensure that this information is protected.

If you would like more information regarding security incidents or help setting up your company’s incident response plan, McKonly & Asbury would be happy to help. We currently offer the full suite of SOC services to clients in a broad variety of industries. Be sure to visit our System and Organization Controls (SOC) service page and don’t hesitate to contact us with any questions.

About the Author

Related Services