I once worked with both PCI and HIPAA at a consulting firm. Neither had very high bars. PCI compliance was just a yes/no questionnaire that said something like "I do not store unencrypted CC numbers in my DB." No one validates the questionnaire. I just submit it and I got a shiny badge to put on my clients site.
HIPAA compliance was just a half hour webinar.
To be fair, I think HIPAA works in offline contexts (employers can't ask your doctor about your health) but as far as how easy it was for me to get access to customer CCs and medical information... Let's just say the barrier was basically nonexistent.
HIPAA compliance was just a half hour webinar.
To be fair, I think HIPAA works in offline contexts (employers can't ask your doctor about your health) but as far as how easy it was for me to get access to customer CCs and medical information... Let's just say the barrier was basically nonexistent.