Regulations are popping up at every turn. What does all this mean to you and your practice? Not only must you comply with the Health Insurance Portability and Accountability Act (HIPAA) there are other regulatory agencies peaking over your shoulder.
If you accept credit cards, you are required to be compliant with the PCI (Payment Card Industry) Data Security Standard. You can find out your exact compliance requirements only from your payment brand or acquirer. However, before you take action, you may want to obtain background information and a general understanding of what you will need to do from the information and links here.
Doctor’s offices are full of incredibly sensitive data. People trust you to keep their medical and personal information secure. Part of your job is to realize that there are unscrupulous people out there ready to steal information to make fraudulent insurance claims, create duplicate passports and other ID’s as well as stealing credit card data. Doing your due diligence and creating a safe environment for credit transactions goes hand in hand with your other safety measures.
Major considerations in safe guard your practice are encrypted equipment, trained personnel, written policies and secure storage.
- If your credit card machines are more than five years old, you very likely are asking for trouble. New encryption technology has been developed to prevent hackers from penetrating and stealing card holder data. Fines in excess of $50,000 can be assessed for each occurrence of theft perpetrated by your faulty equipment. Your processing equipment may need a checkup. You recommend that to your patients!
- Your office staff is your first line of defense to protect information. PCI Compliance training on the proper care and handling of all credit card info will take an insignificant amount of time but could be priceless if it prevents fraud or theft. Loss of patient confidence and hours spent in negative fixing of problems is so much more costly. Each employee needs to know how to process, verify, secure, and store info; knowing when to destroy records.
- Part of your operations manual should have a section dedicated to PCI Compliance. Having a written policy and precise SOP will reduce mistakes and make each of your staff feel more confident. A very large percentage of theft of card information is a result of internal fraud. (Employee theft) Be sure your policies help keep people honest by limiting the number of people who have access to this information. Too often it is a crime of convenience. Passwords should be unique to each individual and equipment default passwords should be changed.
- Any Payment Card info which you must keep must be stored under lock and key. Access to those numbers comes with a large responsibility and only those who have your full trust should be given access. It could mean the end of your practice if this info is placed into the wrong hands.
There are many firms who offer PCI insurance as well as system checks on equipment. Be wary of purchasing something without doing due diligence. There have been instances of these “protection” firms being skimmers for data. As always an ounce of protection is worth a pound of cure. PCI website and the BBB are good sources for reputable firms and products: Trustwave is the largest and most well-known.
Another step in the defensive battle is to become PCI Certified. You do this by taking a Self-Assessment Questionnaire (SAQ). There are 4 different options based on the equipment and type of transactions you process. If you would like to have a security professional’s guidance to achieve compliance and complete the SAQ, you are encouraged to do so. Please recognize that, while you are free to use any security professional of your choosing, only those included on PCI SSC’s list of Qualified Security Assessors (QSAs) are recognized as QSAs and are trained by PCI SSC. This list is available at https://www.pcisecuritystandards.org.
The PCI Security Standards Council (SSC) provides a variety of educational resources to further security awareness within the payment card industry. These resources include PCI DSS training for Internal Security Assessors (ISAs) and Standards Training. The PCI SSC website is also a primary source for additional resources, including:
- The Navigating PCI DSS Guide
- The PCI DSS Glossary of Terms, Abbreviations and Acronyms
- Frequently Asked Questions (FAQs)
- Information Supplements and Guidelines
- Attestations of Compliance
Please refer to www.pcisecuritystandards.org for more information.
There are a variety of fines and policies specified by each of the major card companies. To learn what your specific compliance requirements are, check with your card brand compliance program:
- American Express: www.americanexpress.com/datasecurity
- Discover Financial Services: http://www.discovernetwork.com/disc.html
- JCB International: http://www.jcb-global.com/english/pci/index.html
- MasterCard Worldwide: http://www.mastercard.com/sdp
- Visa Inc: http://www.visa.com/cisp
For more business centric information about PCI Regulations, you can download the Getting Started Guide and/or the Quick Reference Guide from
Check with your Credit Card professional soon to make sure you are operating a safe processing environment. A Breach means more than fines and time consuming fixes. It means a loss of confidence by your patients.
Safe practices are healthy practices!
Article Published in Medical News December 2011
Written by Bobbi Govanus, Retriever Payment Systems