Hacker News new | past | comments | ask | show | jobs | submit login

PCI is really rather “good” as far as external auditing bodies go, they give broad guidelines on the kind of policies they expect and it’s up to you to implement policies that make sense and they only seem to care about ensuring access controls and heavy amounts of auditing.

HIPPA however...

You have it backwards. PCI is prescriptive about specific ways you have to implement security, including certain requirements that make very little sense. HIPAA gives broad guidelines and you have flexibility as to how to meet those requirements. You can use a more prescriptive framework such as HITRUST to meet the HIPAA requirements, but you don't have to.

I do not often hear people describe PCI as "rather good", for what it's worth. "An industry scourge" is a more common sentiment.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact