Health care providers are certainly no stranger to data privacy and security standards, especially those standards related to HIPAA. While many health care providers are well versed in the HIPAA security standards, very few are aware of another major compliance standard they must comply with if accepting credit cards for payment, which is the Payment Card Industry Data Security Standard, commonly referred to as PCI compliance.
The Payment Card Industry Data Security Standard (PCI DSS) was designed by five major card brands which include Visa, MasterCard, American Express, Discover and JCB. The objective of the standards is to protect customer privacy and credit card information. Traditionally, PCI compliance has only received attention from the major retailers. However PCI compliance is not only for retailersāit affects any organization that takes credit cards for payment, including health care organizations.
Many health care organizations may not realize the large quantity of credit card transactions they are processing across the many different areas of their organization. Health care organizations may process credit card information at registration and admittance areas, pharmacies, gift shops, cafeterias, in-room services and/or online billing and payment processes. Regardless of how, when or why they are taking a credit card for payment, health care organizations must be PCI compliant.
The requirements for PCI compliance vary by organization. The variance is based on the number of transactions processed in addition to how the transactions are processed, transmitted or stored. Any health care organization that processes more than 6 million card transactions per year is considered a Level 1 merchant (L1) and must complete an annual on-site assessment, an annual external vulnerability scan (performed by an Approved Scanning Vendor) and submit a Report on Compliance (signed by a PCI-DSS Qualified Security Assessor (QSA) Company or a C-level officer of the company). Organizations which fall within Levels 2 through Level 4 (L2-L4) are required to audit their card processing environment and submit an annual self-assessment questionnaire indicating compliance, as well as complete an external network vulnerability scan (performed by an Approved Scanning Vendor).
The last thing most health care organizations want to be concerned about is another compliance regulation; however, because the data security standards for PCI compliance are built upon security best practices, some of the requirements of PCI DSS are likely being met if the health care organization is complying with the HIPAA Security Rule.
Timing is of the essence; the push for PCI compliance was initiated in 2006. The deadlines for complying with PCI compliance have long since passed. Companies that missed this deadline are potentially subject to great risk, including:
- Fines and penalties for non-compliance with PCI and other regulations;
- Termination of the ability to accept payment cards;
- Fraud losses;
- Cost of reissuing new payment cards;
- Cost of legal settlements or judgments;
- Higher costs for PCI Assessments if a breach occurs; and
- Loss of customer confidence.
In order to best mitigate a health care organization's risk and protect the information of its patients and patrons, it is important that the appropriate level of action is taken to prepare the organization for PCI compliance.
Where do you start? Begin by determining your merchant level, which is based on the number of credit card transactions you process annually. Then determine your PCI compliance scope, complete a gap assessment and outline a road map to PCI compliance. If you need help understanding the requirements, developing your path to compliance, or completing the testing and questionnaires for compliance submission, a professional consultant can help you to become compliant based on your specific operations and needs.
