Should healthcare organizations continue to overlook PCI DSS compliance?
The Payment Card Industry Data Security Standard applies to organizations that handle card data. If your practice, store, process, or transmit credit-card data, then this article is for you.
Compliance with the PCI DSS is compulsory for all healthcare providers. The standard is about data security. It requires that you become aware of the weaknesses in your electronic payment system, and take proactive steps to protect the credit-card data in your information systems.
Why you need to look into PCI DSS compliance
Overlooking PCI DSS compliance can have disastrous consequences for a healthcare provider –
- The finance impact of a data breach can be huge for a healthcare provider. In 2020, the cost of a breach has increased to $7.12 million.
- PCI compliance violations can cost the processing bank or merchant service provider fines of up to $500,000 per incident when their clients are non-compliant. Such fines are passed back to the client whose security practices did not meet the PCI Standard. The event can also lead to termination of the relationship between the bank and the client.
Payment Card Industry Data Security Standard
The PCI DSS is a framework for complying with the industrial guidelines that require businesses to protect sensitive customer information. It applies to organizations that store, process, or transmit credit card data.
The Standard is put in place to protect organizations against credit card fraud and theft. All healthcare providers that handle or process credit cards need to comply with it.
The PCI DSS covers both technical and operational standards for handling credit card data, including
- Access to credit card data,
- Transferring the information, and
- Storage, retention, and disposal of the data.
To comply with the PCI Standard healthcare providers need to
- Protect the cardholder data
- Maintain a vulnerability management program
- Put in place strong access control measures
- Monitor and test networks
- Maintain an information security policy
The standard applies only to those information systems that store, process or transmit credit card data. Thus, it’s a good practice to separate out credit card data transactions from other operations.
How to access your compliance with PCI DSS
Steps for assessing PCI Compliance
- Figure out which departments in the organization handle or process credit cards. Look at all the departments. Examples include, admission and registration, patient financial services, outpatient services, clinics, urgent care centers, pharmacy, cafeteria, and the cashier.
- Assign the responsibility of PCI DSS compliance to a member of your team. The person should be a high-level executive.
- Determine the merchant level and type of the organization. This determination depends upon
- The number of transactions that you process
- The environment that you process the transactions in. Do you use point-of-sale terminals, or a secure website for processing the transactions?
- Create a transaction workflow map that shows how credit-card transactions take place in the organization and where you store the data.
- Identify the applications and systems used for handling the credit card data.
- Prepare an inventory of point-of-sale terminals or cash register systems.
- Conduct your initial self-assessment by filling out the self-assessment questionnaire. If you find shortcomings in your system, then make a determination of how you’d address them.
Note: Providers that handle large card transaction volumes need to conduct independent audits and vulnerability tests, while those with smaller transaction volumes must carry out a self-assessment, and complete a self-assessment questionnaire that describes how they accept card payments. All providers, whether large or small, need to complete an attestation of compliance.
You need to put in place policies and procedures for handling credit card data. A copy of your policy should be distributed to all employees. Employees must receive PCI DSS compliance training as well. The Standard requires you to train newly hired employees who handle credit cards when hired, and then you need to train them annually. You are also required to collect acknowledgments from employees stating that they have been trained in their responsibilities and have received a copy of the policy.
PCI DSS and HIPAA
Compliance with the PCI DSS can help healthcare providers comply with the HIPAA security rule as well. There’s an overlap between the PCI DSS and HIPAA rules. Putting in place common controls could ease the burden of having multiple systems. You could avoid a lot of reengineering effort and repetition. Moreover, security requirements under the PCI Standard are much more specific than HIPAA. Compliance with PCI Standard can help boost the security of all information systems.
Compliance with PCI DSS can be more challenging. Although the data security standard is managed by the PCI council, credit card brands have their own compliance and enforcement programs. They use separate determination for validating compliance. These validations are generally a requirement for the bank that handles your transactions.
Most banks send letters to their clients, and ask the client to validate their compliance with the PCI standard. The process includes filling up the self-assessment questionnaire, and passing a vulnerability scan. You need to have a robust system in place to ensure that this process is carried out seamlessly.
With the cost of a data breach rising up to $7.12 million, healthcare providers need to start taking PCI DSS compliance seriously; especially now, when most monetary transactions are done electronically.