What does it mean to be PCI compliant?
If you’re not familiar with the phrase “PCI compliant,” fear not. While it can be confusing, a brief introduction can help clarify things greatly.
In 2006, American Express, Discover, JCB International, MasterCard, and Visa joined together to found the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC has a stated mission "to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders."
The PCI SSC developed the PCI Data Security Standard (PCI DSS) to be applied to all entities accepting or processing payment cards. Without getting too into the weeds, complying with PCI DSS requires any business that allows its customers to pay with a card to maintain specific security standards and procedures. It's focused on six main goals:
1. Build and maintain secure networks and systems
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
While digging into the "how" of becoming PCI compliant is beyond the scope of this article, it's worth spending some time getting familiar with the PCI DSS if your practice accepts payment by card. A great starting point is the PCI DSS Quick Reference Guide.
But if this article isn't going to help you become PCI DSS compliant, what will it do? Great question, dear reader! We're going to dive into a few PCI DSS violations that small to medium medical practice owners commonly commit. We’ll also discuss the costly ramifications of not complying with the PCI DSS.
Three Common PCI DSS Violations
PCI DSS violations happen, and that's especially true for small businesses. Running a business can be chaotic, and staying on top of all the rules and regulations can feel like a pretty low priority when you're just doing your best to keep the doors open! So, if you read this and think, "Oh, no! We're in trouble!", try not to get too worked up! It’s more likely than not that you're dealing with a problem you can fix with a little bit of extra elbow grease.
Now, without further adieu, three common PCI DSS violations:
1. Accepting card information via email or text
It's important to remember that the basic tenet of PCI DSS is keeping cardholder information safe and secure, so requesting and accepting card information via email or text message is a big no-no.
PCI DSS Requirement 4.2 makes this very explicit: “Never send unprotected Primary Account Numbers by enduser messaging technologies (for example, email, instant messaging, SMS, chat, etc.)."
According to the PCI DSS, the problem here is that "E-mail, instant messaging, SMS, and chat can be easily intercepted by packet-sniffing during delivery across internal and public networks."
So, unless you are tech-savvy enough to "provide strong encryption," you should refrain from using email, text, or other enduser messaging technologies to obtain patient card information.
2. Writing down card information
Sometimes patients call your office and offer to pay over the phone. When this happens, you can usually input their card information directly into the computer and press submit.
However, what happens when a patient calls and the computer is in the middle of an update, or you can't get the payment portal to load? What should you do?
In this scenario, what you should do and what you probably will do are very different. You'll probably just write down the patient's card information and submit the payment later when you have a chance.
Unfortunately, in most cases, this is not PCI compliant. That's because PCI DSS Requirement 9.5 requires you to "Physically secure all media." PCI DSS Guidance spells out: "Cardholder data is susceptible to unauthorized viewing, copying, or scanning if it is unprotected while it is on removable or portable media, printed out, or left on someone’s desk."
So anytime you have possession of a patient's card information, you are responsible for physically securing it. And the best way to do that is to simply refrain from writing down patient card information.
3. Improperly dealing with card information sent by mail
In line with collecting patient information over the phone, patients will sometimes send in their card information via the postal service. When that happens, the same rules apply with writing down card information. However, you can't just refrain from writing down the card information in this scenario because the patient already wrote it down and sent it to you! And now that you have it, you have a responsibility to keep it safe.
First and foremost, it's essential to keep the card information safe and secure as soon as it enters your possession. That means taking received mail and essentially locking it up. Your best course of action is likely to implement a process of:
1. collecting your mail,
2. identifying pieces of mail containing payment information, and then doing one of the following:
3a. directly entering payment information into your payment system and then shredding the payment information, or
3b. storing the payment information in a secure place, like a safe or lockbox, for later submission and disposal.
Ramifications of PCI DSS Violations
Okay, now that we know a few PCI potholes to avoid, let's do our best “Scared Straight!” impression and fill you in on what can happen if you don't comply with the PCI DSS.
The most tangible ramification you might experience is a fine. These fines can be between $5,000- $100,000 per month. It's also possible that your bank will increase your transaction fees and that you may be required to cover reversal charges that arise if there is a data breach. All in all, you can end up severely financially hampered by a PCI violation.
Beyond the financial ramifications, the other prominent potential consequence is the loss of goodwill that your practice could experience. If your practice has a data breach due to your PCI non-compliance, the reputation that you've spent years building could be tarnished in minutes. You could become the subject of lawsuits and bad press, and even worse, you'll have the unfortunate task of calling your patients and letting them know that you failed to keep safe the payment information with which they entrusted you. It's an ugly situation–and not one that any doctor or practice manager will enjoy.
What can you do?
At this point, hopefully you can see that you should not take PCI violations lightly. You know a few major red flags to avoid, but what about the other requirements? PCI DSS isn't just "don't write down patient payment info.” It’s a lot more than that. But if you're reading this, you're probably not a PCI expert; instead, you’re probably a doctor, office manager, or billing coordinator. You may want to be PCI compliant, but wanting something and knowing how to do it are two different things.
Fortunately, you can outsource a lot of this. You can partner with a PCI-compliant payment processing platform to ensure that you're keeping patient card information safe during and after the transaction. This can help you feel comfortable with your practice's security without becoming a software engineer and building a solution yourself.
You can also educate yourself on PCI best practices to ensure that your in-office procedures are up to snuff. Having a PCI-compliant payment platform is great until your receptionist writes down a patient's card information and leaves it on the desk only for a mischievous patient to swipe it on their way out the door. The internet is full of great resources, and the best place to start is the PCI SSC website. They even offer training programs to help organizations like yours stay compliant.
Don’t put off PCI compliance. It’s a disaster in the making, but it doesn’t have to be. By implementing the proper procedures and systems, your practice can be compliant before you know it.
If you’re interested in learning more about how Peachy can help your organization securely accept patient card information, you can learn more here.