PCI COMPLIANCE: WHAT IS IT AND WHY DOES IT MATTER?
By Guest Blogger: Cheryl Donahue
Whenever a merchant processes, stores or transmits cardholder data, they are claiming responsibility for protecting that information. Failure to properly secure sensitive information can result in costly fines, audit costs, restrictions or worse should an actual breach occur. To ensure businesses are kept accountable, and consumer information safe, credit card companies such as Visa, MasterCard and Discover, created PCIDSS, or Payment Card Industry Data Security Standards, herein referred to as PCI. Yet, most merchants have zero knowledge of PCI requirements, how determine if they are compliant or whether they are being charged for any non-compliance.
The PCI requirement consists of 12 steps ensuring policies, procedures, training and security measures are in place for consumer & merchant privacy and protection alike. To further this goal, all systems used to transmit data must be secure and all members must know how to safely handle patient credit card information. The ramifications of breaching any patient information are not only damaging to the patient, but also to the practice.
A lesser known requirement is the Self-Assessment Questionnaire (SAQ) of all practices accepting credit cards from patients. Additionally, for those practices utilizing a card swipe or terminal that transmits information via the internet (certainly everyone who integrates their patient payments with their practice management software) Quarterly Vulnerability Scans must also be performed in most cases.
Many reading this may be thinking, “Why have I never heard of this before? It certainly seems important!”
And it certainly is.
However, most merchant providers do not take a proactive approach in notifying a practice that is not PCI Compliant, leaving the practice ignorant and open for penalty. In fact, 40% of the statements analyzed at Merchant Advocate show a fine for non-compliance. How could that be? My theory is, and I have been in the merchant industry for 20 years, that processors make a lot of money when their clients are not compliant, eliminating any motivation for them to shut off that revenue stream. Many processors charge between $20 and $60 dollars EACH MONTH for non-compliance. Think of how much revenue that produces! The worst case I have run across was a practice being charged $175 every month for over two years.
How to determine your compliance. Gather three consecutive, current monthly merchant statements and look towards the end of the statement. Find the section that contains line items like monthly statement fee, batch fees, FANF fee, etc., this is generally where a fine for non-compliance can be found.
Here are some of the descriptions for this non-compliance fine:
Now, it gets even more confusing! The Self-Assessment Questionnaire (SAQ) can quickly bring on a headache, but there is help available. The company contracted with a processor to provide PCI typically has a support team to help navigate the process. If a practice requires a Quarterly Vulnerability Scan (QVS), the IT firm should be able to help, if not it may be time to find a new IT firm. If they have no idea what a QVS is, that’s a bad sign. An IT firm should be well versed in the PCI process and have trained staff readily available for assistance. A failed QVS could be a sign of an insecure network, leaving consumer information open for hacking. If a QVS fails, the IT firm should download the scan report, mitigate the vulnerabilities, inform the client of its completion and conduct another scan. A completed SAQ and a passed QVS (if required) are both needed to achieve compliance and avoid any unnecessary fees.
Why you should get compliant. Yes, at first glance, this may seem like a lot of work for a small amount of payoff. Recently, I had a dentist tell me that for a charge of $39 per month he felt it wasn’t worth his office manager’s time to go through the process. It’s important to note that he is a Merchant Advocate client and I was going to help his OM navigate the entire process. Here’s my two cents on why a dental practice ABSOLUTELY should take the time to achieve PCI Compliance.
Fines for not being PCI Compliant can quickly skyrocket. The cost of an average breach in a regulated industry (dental practices are regulated) is $155 per record. How many patient records do you have? It adds up pretty fast, doesn’t it?PCI and HIPAA overlap. The HIPAA Security Rule requires secure patient data, including credit card information. PCI requires secure credit card data. If a breach occurs, it’s double trouble. Medical/Healthcare breaches are the second largest category of breaches. The top two cyber-crimes are identity theft and credit card theft. Basically, a dental practice is a gold mine for cyber thieves.
PCI and HIPAA also have common requirements of poli
cies, procedures and training. PCI requires policies address staff procedures, network security, data privacy, the use of electronic mail and texting, internet and paper acceptable uses. That sounds a lot like the requirements of the HIPAA Security Rule. The Security Rule recommends a penetration test of your network, while PCI requires a vulnerability scan. If your QVS passes, meaning you don’t have vulnerabilities, it is likely your network is also secure from outside hackers.
To sum up, PCI Compliance should be taken seriously by all dental practices. Not does it protect patients, it protects the reputation and jobs of the staff, as well as the very future of the practice.