How Healthcare Providers Can Protect Credit Cards by Getting PCI DSS Certification

Healthcare providers are acutely aware of HIPAA requirements to protect patient health information, commonly known as PHI. Yet, it has been widely identified that the healthcare industry as a whole is lagging in compliance with the Payment Card Industry Data Security Standard (PCI DSS), which protects the security of credit and payment card data.

From small, single office practitioners to large third-party administrators of medical claims, healthcare organizations must achieve PCI DSS compliance if they accept payment cards for goods or services. They are not exempt simply because they are HIPAA compliant, which relates to an entirely different set of confidential data.

PCI DSS requirements are mandated by the Payment Card Industry Security Council, which sets security standards on behalf of all the major credit card brands (American Express etc.) The standards governing compliance are extensive and can be difficult to understand.  To help, ERMProtect is providing overall guidance and best practices related to this area of data security.

Is PCI DSS compliance mandatory?

If your organization is storing, processing, or transmitting cardholder data, then compliance with the Payment Card Industry Data Security Standards (PCI DSS) is a strict mandate. With heavy fines looming for non-compliance, now is the time to get serious about obtaining PCI DSS certification.

What is a Merchant vs. Service Provider?

Under PCI DSS, merchants are defined as any entity that accepts payment cards bearing the logos of any of the five big brands (American Express, Discover, JCB, MasterCard, or Visa) for goods/services. Retailers fall into this category.

A service provider is a business entity providing services to another entity that involves the processing, storage, or transmission of cardholder data. This includes cloud service providers, Internet service providers, managed service providers, and so on.  Note that a merchant can also be a service provider if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

What is a Self vs. Onsite Assessment?

There are four (4) levels for compliance (Levels 1 – 4) based on the number of credit card transactions processed. Most merchants fall into the Level 1 - 3 categories and can demonstrate their PCI compliance by filling out a Self-Assessment Questionnaire, also known as an SAQ.

However, if you are a Level 1 Merchant or Service Provider with high-volume transactions, you cannot self-assess your compliance to obtain PCI certification. Instead, you must retain a Qualified Security Assessor (QSA) company like ERMProtect, which is certified by the Payment Card Industry Council to audit your healthcare organization and attest that the standards are met.

Merchants are classified as Level 1 if they process at least 1 million, 2.5 million, or 6 million transactions per year, depending on which credit card brands the merchant accepts.  Service providers (vendors) are classified as Level 1 if they store, process, or transmit more than 300,000 credit card transactions annually.

Do Insurers Need PCI DSS Certification?

Healthcare entities that do not operate in the traditional sense of a merchant but that touch payment card data - such as insurance companies, payment processors, managed service providers - may be classified as a service provider for PCI DSS compliance. This means they are typically required to obtain a Level 1 assessment. They may also be allowed to fill out a self-assessment questionnaire (SAQ D) but it is a challenging, extremely long, and detailed document. Most healthcare-related organizations get help from qualified cybersecurity firms to obtain PCI DSS certification.

What is a PCI DSS Readiness Assessment?

 Before your organization undergoes its first assessment, it is wise to hire a PCI QSA firm to perform a comprehensive readiness assessment. This helps the organization to understand its PCI environment, the elements of IT infrastructure in scope, and remediate any compliance gaps before an actual audit.

What are key steps on the path to compliance?

Ensure adequate policies and procedures - There are approximately fifty (50) different policies, procedures, forms, checklists, and other supporting documents that need to be in place for PCI DSS compliance. This can be an incredibly time-consuming process, so many merchants and service providers turn to the experts like ERMProtect for industry-leading PCI policies and procedures to enable rapid compliance.  Even if your organization has policies and procedures in place, they must be current, mapped to the existing PCI DSS standards, and reviewed for accuracy.

Implement PCI Requirements - Policies mean little to nothing if there are no actual procedures in place to deliver the security requirements of PCI DSS such as awareness training, annual risk assessments,  user security, proper incident response, and more. Healthcare organizations must ensure their planned security measures are actually in place and operating as intended. This assurance would be provided by obtaining a PCI QSA audit.

Practice Continuous Monitoring -  Healthcare organizations must continuously monitor, assess, and enhance internal controls as it relates to policies, procedures, and processes. This will help ensure the continued safety of organizational assets, from customer data (i.e., PHI, cardholder data, etc.) to confidential information (i.e., employee Human Resources file, trade secrets, etc.)

Conduct Scanning and Penetration Testing – Most healthcare providers must conduct vulnerability scanning and penetration testing to be PCI compliant. Vulnerability scanning of both internal and external networks is an excellent tool for identifying threats. Penetration testing, another key tool, involves actual attempts by ethical hackers to exploit your network. Both tests are designed to find security gaps – before hackers do.

How Can ERMProtect Help?

ERM Protect can help your healthcare organization obtain a PCI compliance certification.  As one of the original PCI QSA firms, we are experts at payment card compliance, IT security, and data protection.  We leverage almost 30 years of experience to secure your payment data, protect your business and manage costs and risk.  Contact us at 1-800-259-9660 and ask for Silka Gonzalez to get a quote.