In an increasingly digital world where customer data is being collected at various touchpoints, the protection of personal information is becoming increasingly important for businesses worldwide. There are three core types of personal information that global privacy regulations require protection of: Personally Identifiable Information (PII), Payment Card Industry (PCI) data, and Protected Health Information (PHI). A fourth type of data whose definition, depending on the jurisdiction, captures some or all of the foregoing three is ‘sensitive data.’ The following blog provides a high-level overview of the former three common types of personal information. All three terms have US origins, but they describe concepts that are relevant in the data privacy context across many jurisdictions where they may be called by other names.
PII, PCI, and PHI are acronyms that refer to different types of information which are protected under data privacy laws, regulations, or industry standards due to their sensitive nature. The following table sets out the meaning, origin, examples, and comparable terms in other jurisdictions.
When we look at the formal definitions of PII, PHI, and PCI you’ll notice that PII is an umbrella term which actually captures PCI and PHI, though they each have their intricacies.
TheOMB Memorandum M-07-16puts “personally identifiable information” as:
"information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, …”
As for the definition of PHI, it's quite lengthy. In summary, there are five elements to the definition. (1) PHI describes information that is created or received by a specific entity, (2) composed of particular content relating to an individual's health, (3) identifies or is reasonably likely to identify the individual, (4) is transmitted in a certain way, and (5) is not excluded from the definition.
Lastly, PCI stands for information protected under the PCI Data Security Standard (PCI DSS), a standard drafted by an independent body brought to life by major credit card companies. The protected information is called ‘account’ data and is composed of cardholder and sensitive authentication data (see the list in the table above). All this information can be used to distinguish or trace an individual’s identity when combined with other personal or identifying information.
The reason why there is a distinction between PII, PCI, and PHI in the US is because the subcategories of PHI and PCI are so sensitive that the need to regulate them, in the absence of a comprehensive data protection law spanning all states, overcame the political difficulties (in the case of HIPAA) of enacting a federal law addressing the issue. With regard to PCI, the initiative of the private sector solved the problem when major credit card companies formed an independent body to set out standards protecting PCI which are imposed contractually on organizations handling PCI.
The situation is the inverse in Europe with regard to health information. With the GDPR, the EU succeeded in enacting a general data protection law, albeit the process took years. While the GDPR also applies to health and financial data, local idiosyncrasies require flexibility to arrive at an agreement of all member states representatives. Therefore, the GDPR explicitly permits member states to require stricter safeguards than provided for in the GDPR, which only sets the minimum standard for protection.
Similarly, Europe has failed so far in establishing a harmonious card payment regime. Likely because Europeans are generally more conservative regarding card payments, it is more difficult for payment service providers to scale, hence the focus is often on proprietary, but low-cost national card schemes that set out their own compliance requirements in their contracts with merchants. An effort is underway, however, to implement a harmonized, European card payment system.
How Private AI Can Help With Compliance
Having visibility into what data exists within your organization and where it lives will allow you to determine what measures you must put in place to comply with the applicable legislation or industry standard regarding PII, PCI, and PHI.
Private AI can help you make that determination, identifying 50+ entities of PII, PHI, and PCI in unstructured data across 47 languages. Using the latest advancements in Machine Learning, the time to identify and categorize your data can be minimized and compliance facilitated. To see the tech in action, try our web demo, or request an API key to try it yourself on your own data.
Frequently Asked Questions (FAQ)
What do the acronyms PII, PCI, and PHI stand for?
These acronyms refer to core types of sensitive personal information protected by global privacy regulations and industry standards:
- PII: Personally Identifiable Information
- PCI: Payment Card Industry (referring to the data protected by the PCI DSS)
- PHI: Protected Health Information
How are PII, PCI, and PHI related?
PII is generally an umbrella term that captures both PCI and PHI. While each has specific intricacies and regulatory frameworks, both health data (PHI) and payment card data (PCI) can be used to distinguish or trace an individual's identity, meaning they fall under the broader category of PII.
What are examples of data considered PHI and under which U.S. law is it protected?
PHI (Protected Health Information) is individually identifiable information relating to a person’s health contained in medical records. Examples include: medical diagnoses, treatment information, lab results, and billing information. It is protected under the U.S. HIPAA Privacy Rule.
What types of data are protected under the PCI standard?
The PCI Data Security Standard (PCI DSS) protects account data, which is composed of two main parts:
- Cardholder Data: Includes the Primary Account Number (PAN), cardholder name, expiration date, and service code.
- Sensitive Authentication Data (SAD): Includes card validation codes (CVV), full track data, and PINs/PIN blocks.
Why were separate regulations (like HIPAA for PHI) created in the U.S. instead of one comprehensive data protection law?
The distinction arose because PHI and PCI are highly sensitive subcategories. In the absence of a single comprehensive federal data protection law, the need to regulate these specific, highly sensitive data types (like health information) led to the enactment of separate federal laws (HIPAA). For PCI, the private sector (major credit card companies) established the contractual standards (PCI DSS).
