In this post, we’ll demystify PCI and HIPAA, and explore how Fanatical Support for AWS can help you to select, build and manage the right services at AWS to achieve your business and compliance needs.
A Brief History of PCI
PCI DSS (Payment Card Industry Data Security Standard) was established by a consortium of major credit card companies known as the Payment Card Industry Security Standards Council in 2005. Their expressed goal was to increase security to protect credit and debit card data for both merchants (everyone from global e-commerce sites to local convenience stores) and service providers, which are companies that provide services to these merchants (e.g. Rackspace and Amazon).
This means that merchants need to have the requisite PCI certification to store, process or transmit debit or credit card data. In addition, increased security around credit and debit card data may benefit credit card companies, banks and consumers by reducing the amount of fraudulent activity.
While service providers like AWS and Rackspace have PCI compliant services and can help merchants meet PCI certification criteria, they cannot be PCI certified themselves. Only merchants who self-certify or go through the PCI audit process with a Qualified Security Assessor are PCI certified.
A Brief History of HIPAA
In contrast to PCI-DSS, which was conceived by a set of private companies, the Health Insurance Portability and Accountability Act (HIPPA) was passed by the U.S. Congress in 1996. All companies that hold or transmit protected health information (PHI) are required to comply with HIPAA.
HIPAA was introduced to achieve two primary goals:
• Make health-related information easier to share between providers (make it portable) by encouraging the use of electronic medical records.
• Ensure the security of PHI by providing standards for security and privacy.
HIPAA compliance is required of two classes of businesses:
• Covered entities — health care providers, health plans, and health care clearinghouses.
• Business associates — those who provide services involving the use or disclosure of PHI to a covered entity.
Both AWS and Rackspace are examples of business associates.
The following table outlines some similarities and differences between PCI and HIPAA:
|Controlled by||Consortium of Credit Card Companies||US Department of Health and Human Resources (HHS)|
|Number of Eligible AWS Services and Features (May 2016)||24||9|
|Certification Entity||Self or QSA||Self or External Accreditation Agency|
|Relevant Output||ROC (Report on Compliance)||BAA (Business Associate Agreement)|
|Supported by Fanatical Support for AWS||Yes||Yes|
Why PCI and HIPAA Compliance Matters
In order to attest that your organization is PCI certified, you need to use service providers that offer PCI compliant solutions. Rackspace provides tooling and management on top of the platform and services provided by AWS to help you meet your PCI compliance obligations.
Similarly, any business that interacts with PHI needs to ensure that the service providers they choose to help them transport the PHI have tools that will enable them to comply with HIPAA. AWS has services that are explicitly authorized for this purpose, and Rackspace is able to act as a trusted Business Associate.
How AWS “Building Blocks” Make Achieving Compliance Easier
Two decades after HIPAA was passed and a decade after PCI was born, we’ve seen more and more businesses move to the cloud as companies like Rackspace create solutions that overcome barriers to entry by addressing concerns over who can store, process and transmit protected data. Now that decision is even easier to make thanks to an increasing number of service and infrastructure options that can speed up and streamline the ability to build applications while meeting compliance and security standards.
AWS enables customers to select HIPAA and PCI-eligible services to store, process and transmit critical information to achieve their business objectives. Everyone from small customers to large enterprises can optimize these service and infrastructure building blocks to address issues around security, scalability and cost while using a growing number of innovative services from AWS.
In addition to providing options for backups, disaster recovery and data-encryption in-transit and at rest, there are also high-value services like AWS Elastic Map Reduce which allow for on-demand, fast analysis of data. Now, even a small business can harness the power of big data and summon massive compute clusters to crunch healthcare and bioinformatics data.
The Advantage of Fanatical Support
Just as these service and infrastructure options have made it easier for businesses to work with HIPAA and PCI data, Fanatical Support for AWS makes it easier for you to design, deploy and operate the right infrastructure for your business applications within AWS.
Instead of building your own team of highly-paid, technology-specific experts to design, build and operate your AWS environment, Fanatical Support for AWS provides you with the right mix of human experts and operational tooling to enable you to focus on your core business. Our certified AWS experts can help you design, deploy, manage and optimize your AWS infrastructure based on industry best practices.
Learn how Fanatical Support for AWS can help you get more out of AWS:
Contact us! Our team of AWS experts can help you build a new AWS environment to your specific business and compliance needs.