What Is PCI Compliance in Healthcare?
What Is PCI Compliance in Healthcare?
If your business uses credit cards to handle transactions, you probably need to make sure your IT and payment infrastructure is PCI compliant.
PCI compliance in healthcare is the same as in any industry. There may be some overlaps in your security policies with HIPAA compliance, but when handling cardholder information, the PCI compliance rules remain the same as any other merchant.
However, understanding PCI compliance can be challenging. We’re here to make the process easy to understand. Take a look at our extensive guide below.
An Intro to PCI Compliance.
PCI is shorthand for the acronym PCI DSS, also known as The Payment Card Industry Security Standard. PCI DSS is a set of requirements focused on improving payment security.
With the boom of the Internet and eCommerce, sensitive payment information such as credit cards, debit cards, and other forms of electronic payments increased exponentially. And every merchant handling this sensitive information was exposed to new risks with digital payment fraud steadily on the rise.
It was in the best interest of both the creditors and merchants to find a way to ensure the security of people’s payment information.
In response, credit card industry leaders convened to create a set of standards for handling payment information. Members from American Express, Discover Financial Services, JCB International, Mastercard, and Visa got together and introduced version one of the PCI DSS in 2004.
Shortly thereafter, PCI evolved further iterations and included the creation of the PCI Security Standards Council (PCI SSC). The PCI SSC would operate independently and serve as the overseers of PCI compliance.
Who does the PCI DSS apply to?
The PCI DSS requirements apply to any organization that accepts, transmits, or stores any cardholder data. It doesn’t matter if you are a big organization or a small business that only handles a couple of payments a week. If you handle credit cards, PCI DSS applies to you.
Ultimately, healthcare is a business as well. And as a business, you have to handle cardholder data between patients, third-party providers, and clients.
What’s defined as cardholder data?
The PCI Security Standards Council (SSC) defines cardholder data as the full Primary Account Number (PAN) and any of the following information:
- Cardholder name
- Expiration date
- Service code
- Sensitive authentication data includes but is not limited to full magnetic stripe data, CAV2, CVC2, CVV2, CID, and PINs.
Why does PCI compliance matter?
Though we often hear about large company data breaches in the news, more than 90% of data breaches occur at small merchant locations. A typical data breach costs a small business merchant between $25,000 and $50,000, though costs can range from $10,000 to $500,000 or more.
Merchants can also lose the privilege to accept credit cards for payment.
PCI DSS reduces the risk of a data security breach and lowers the financial risk to a business if a breach were to occur.
In addition to financial risks, a data security breach can incur catastrophic damage to a business’ reputation.
A study by Centrify of 113 companies that experienced a data breach involving the loss of consumer data found that 65% of consumers lost trust in the organization and 27% discontinued their relationship with the organization.
A business may find it impossible to continue after the financial and brand-related repercussions of a data breach.
Though it can be difficult to achieve PCI compliance, it helps to avoid data breaches. According to a Verizon report, organizations that have been fully PCI-DSS complaint have not reported a single data breach in 14 years.
The 12 requirements for PCI DSS compliance.
The official requirements and documents for PCI DSS compliance can be found on the PCI Security Standards Council website, but for your convenience we’ve summarized the 12 main requirements below:
- Install and maintain firewalls
Firewalls are often the first line of your digital defense against foreign intruders. They act as gatekeepers, restricting incoming and outgoing network traffic through specific parameters set by your organization. Businesses should routinely audit firewalls to adjust to new vulnerabilities.
- Utilize proper password protections.
Passwords are easier to crack than you think. Dozens of sites are dedicated to leaking password data to unsavory users. If you’re using routers, modems, point of sale (POS) systems, or any other third-party hardware or software, it’s important not to use the default login information out of the box. PCI DSS compliance rules make it a point to configure all passwords to be unique for every piece of technology introduced to your IT infrastructure.
- Protect stored cardholder data.
The most important requirement of the PCI standard is to secure wherever your cardholder data is housed. All cardholder data must be encrypted using industry-standard algorithms. Regularly scan your data, particularly for unencrypted primary account numbers (PAN). Rules dictate only revealing the first six or last four digits.
- Protect transmission of cardholder data.
Housing data is one thing, transmitting it is another. Make sure that whenever you are transmitting sensitive cardholder data, especially over public networks, that the data is encrypted and sent through a secured payment gateway. Always know where the data is being sent from and the party that will receive said data.
- Use and update anti-virus software.
Anti-virus software is an absolute requirement in order to maintain PCI compliance. All workstations and mobile devices that interact with cardholder data must have routinely updated anti-virus solutions installed and active at all times.
- Routinely update general software.
Firewalls and anti-virus software grab the most attention in IT security when it comes to maintaining updates. However, updating general software, such as messaging platforms, email, and workplace tools, is just as important. Software developers roll out key security updates and patches as they discover new security vulnerabilities as well.
- Restrict cardholder data to key personnel only.
Cardholder data should not be open-access to anyone in your organization. Gate cardholder data to “need to know” staff only, providing different levels of privilege to each category of users. Maintain a live document of said list, recording every time a user is given or revoked access to cardholder data.
- Assign a unique ID to each person with computer access.
Never implement a system where employees have to share login information. Every user should have their own unique username and password for hardware and software. Unique IDs for every user in your IT infrastructure provides more complexity to your security (which is a good thing). It also allows your organization the ability to adequately track any data breach to a specific user or device.
- Restrict physical access to cardholder data.
Whether your data is kept in physical file cabinets or in a digital database, make sure to secure the entry ways to these spaces. Use monitoring technology such as unique RFID keys and video cameras to ensure and maintain authorized access to your data.
- Create and maintain access logs.
Track every time someone in your organization accesses cardholder data. Proper record keeping can help in the event of a breach. Routinely audit the number of times cardholder data is accessed by personnel to pinpoint any irregularities.
- Regularly scan and test for weak points.
Setting up a PCI compliant system is complicated, with several moving parts. Frequently audit your system to find any vulnerabilities that could arise from malfunctions or human error. Vulnerability scans, an automated high-level test that searches your IT infrastructure for weak points, are required by PCI standards. Depending on your business size and self-assessment, PCI compliance rules may dictate the need for a penetration test—an exhaustive live examination designed to replicate the behavior of a hacker trying to access your data.
- Maintain policy documents and standard procedures for your personnel.
Providing PCI compliance training for all personnel can help your organization understand the risks of a data breach. Establish a security policy on how to use technology that may access cardholder data, clearly defining employee responsibilities when handling such data. Standardize procedures for your personnel so they understand what to do in the event of a breach.
PCI compliance requirements may differ depending on the size of your business.
Merchants fall into one of four categories depending on the volume of transactions they process and each level has different PCI requirements.
Each credit card brand has their own compliance programs. You need to check with every brand you work with as each has different definitions of what level you fall under and different compliance validation submission requirements.
Merchant levels defined by Visa:
Merchant Level | Who does it apply to? | What do you need to do? |
Level 1 | Any merchant processing over 6M transactions per year or any global merchant identified as Level 1 by any Visa region. | You must file a report on compliance (ROC) by a Qualified Security Assessor (QSA) or internal resource signed by an officer of the company. You must also submit an Attestation of Compliance (AOC) form. |
Level 2 | Any merchant processing 1M to 6M transactions per year. | You are required to do an annual Self-Assessment Questionnaire (SAQ). SAQs are a self-service validation tool in lieu of the more stringent Level 1 requirements. You must also submit an Attestation of Compliance (AOC) form. |
Level 3 | Any merchant processing 20,000 to 1M transactions per year. | You are required to do an SAQ and submit an AOC form. |
Level 4 | Any merchant processing fewer than 20,000 to 1M transactions per year. | You can either complete an SAQ or an alternative validation exercise as defined by the Acquirer. |
Merchant levels defined by MasterCard:
Merchant Level | Who does it apply to? | What do you need to do? |
Level 1 | Any merchant processing over 6M transactions per year or suffered a hack or attack that resulted in an Account Data Compromise (ADC) event. MasterCard also accounts for any merchant meeting the criteria of Level 1 at Visa as the same in MasterCard. MasterCard may also put anyone in a Level 1 category at its sole discretion. | You are required to do an annual PCI DSS assessment resulting in the completion of a Report on Compliance (ROC). PCI DSS assessments are performed in detail by a PCI SSC Qualified Security Assessor (QSA) or by a PCI SSC Internal Security Assessor (ISA). You must also include a vulnerability scanning performed by a PCI SSC Approved Scanning Vendor (ASV) for all Internet-facing system components. |
Level 2 | Any merchant processing 1M to 6M transactions per year or any merchant meeting the Level 2 criteria for Visa. | You are required to do an annual Self-Assessment Questionnaire (SAQ). SAQs are a self-service validation tool for businesses in lieu of the more stringent PCI DSS assessment required by larger merchants. You must also include a vulnerability scan, the same as Level 1. |
Level 3 | Any merchant processing 20,000 to 1M transactions per year or any merchant meeting the Level 3 criteria for Visa. | You are required to do an annual SAQ and vulnerability scan. |
Level 4 | All other merchants. | You are required to do an annual SAQ and vulnerability scan. |
Read more on MasterCard PCI Compliance levels and requirements.
Merchant levels defined by Discover:
Merchant Level | Who does it apply to? | What do you need to do? |
Level 1 | All merchants processing over 6M transactions per year or any merchant that Discover determines should meet the Level 1 compliance. Discover will also consider a merchant’s Level 1 classification with other credit card brands. | You must file an ROC by a Qualified Security Assessor (QSA) or internal auditor signed by an officer of the company every year. You must also submit an Attestation of Compliance (AOC) form and conduct a network scan by an approved scan vendor. |
Level 2 | All merchants processing 1M to 6M transactions per year. | You are required to do a Self-Assessment Questionnaire (SAQ) and vulnerability scan. |
Level 3 | All other merchants. | You are required to do an annual SAQ and vulnerability scan. |
Read more on Discover PCI Compliance levels and requirements.
Merchant levels defined by American Express:
Merchant Level | Who does it apply to? | What do you need to do? |
Level 1 | All merchants processing over 2.5 million transactions per year. | You are required to submit a Report on Compliance Attestation of Compliance (ROC AOC). The assessment must be done by a Qualified Security Assessor (QSA) or a self-certified individual. You can also submit an American Express STEP Attestation in lieu of these documents. The Security Technology Enhancement Program, or STEP, is a way for American Express to recognize merchants who have taken additional steps to improve credit card information security. |
Level 2 | All merchants processing 50,000 to 2.5M transactions per year. | You are required to do an annual Self-Assessment Questionnaire (SAQ) and an ASV Scan Report Attestation of Scan Compliance (AOSC). However, you can also submit an ROC AOC or an American Express STEP Attestation in lieu of these documents. |
Level 3 | All merchants processing 10,000 to 50,000 transactions per year. | For merchants at this level, it’s optional to report unless required by American Express directly. The documents typically required if you do submit are an annual SAQ and an AOSC. However, you can also submit an ROC AOC or an American Express STEP Attestation in lieu of these documents. |
Level 4 | All merchants processing below 10,000 transactions per year. | For merchants at this level, it’s optional to report unless required by American Express directly. The documents typically required if you do submit are an annual SAQ and an AOSC. However, you can also submit an ROC AOC or an American Express STEP Attestation in lieu of these documents. |
Read more on American Express PCI Compliance levels and requirements.
What is an Authorized Scanning Vendor, or ASV?
As noted in the requirements above, many of these credit card brands require an ASV. ASVs are third parties that perform network scans for vulnerabilities on a quarterly basis. It’s required that you submit clean scans by the end of each quarter. Typically, organizations will do multiple scans earlier in the quarter in order to fix the issues ahead of time and provide a clean scan by the time of submission.
According to HHS.gov, the OCR reviews all complaints of HIPAA violations it receives but only takes action if they meet the following requirements:
What is a Qualified Security Assessor, or QSA?
As noted in the requirements above, many of these credit card brands require a QSA to assess your PCI compliance. QSAs are independent security companies qualified by the PCI Security Standards Council to act as validators of a merchant’s adherence to PCI DSS.
What is an SAQ?
As noted in the requirements above, an SAQ stands for Self-Assessment Questionnaire. It’s a merchant’s way of showing that they are taking adequate security measures to ensure the security of cardholder data.
However, there are 9 different SAQs to choose from. How do you know which one to fill out? We are here to help.
SAQ A (22 Questions)
This questionnaire is for e-commerce, mail, and telephone order merchants that have their cardholder data and payments handled by an outsourced party. In this classification, merchants do not hold, process, or transmit any electronic cardholder data.
SAQ A-EP (191 Questions)
This questionnaire is for e-commerce only merchants that do not handle cardholder data on their website and use a third party instead. In this classification, merchants do not hold. process, or transmit any electronic cardholder data. However, a merchant’s website features may impact the security of the payment transaction, so a vulnerability scan and penetration testing is needed as part of the questionnaire.
SAQ B (41 Questions)
This questionnaire is for merchants who use imprint machines, standalone terminals, or dial-out terminals. In this classification, merchants don’t process transactions via e-Commerce and do not hold, process, or transmit any electronic cardholder data.
SAQ B-IP (82 Questions)
This questionnaire is for merchants using only standalone, PTS-approved terminals with an IP connection to the payment processor. In this classification, merchants do not hold any electronic cardholder data, but a vulnerability scan is needed as part of the questionnaire.
SAQ C-VT (79 Questions)
This questionnaire is for merchants using one dedicated computer as a virtual terminal. In this classification, merchants do not hold any electronic cardholder data.
SAQ C (160 Questions)
This questionnaire is for merchants using a payment app. In this classification, merchants do not hold any electronic cardholder data, but a vulnerability scan is needed as part of the questionnaire.
SAQ P2PE (33 Questions)
This questionnaire is for merchants using an approved point-to-point encryption (P2PE) device. In this classification, merchants do not hold any electronic cardholder data.
SAQ D for Merchants (329 Questions)
This questionnaire is for merchants that do not outsource their credit card processing or use a P2PE solution, so there’s a possibility that the merchant may hold electronic cardholder data. Therefore, a vulnerability scan and penetration testing are needed as part of the questionnaire.
SAQ D for Service Providers
This questionnaire is for service providers who may be required to complete an SAQ. A vulnerability scan and penetration testing are needed as part of the questionnaire.
What if I take credit card payments by phone?
Some businesses may wonder if the PCI DSS rules make taking credit card transactions over the phone obsolete and non-compliant. The good news is that it’s possible to make phone call transactions PCI compliant, but it’s important to take certain measures to mitigate the risk of fraud. Here are some considerations for security towards telephone transactions:
- Secure call recording systems.
A number of regulatory bodies are requiring recorded telephone conversations, but make sure the places you store these calls are secure. Network segmentation and encryption are some of the few ways you can mitigate your risk of a breach.
- Be wary of CVV codes.
The three or four-digit code, typically on the back of the card, cannot be stored on systems. If you record phone calls and ask for a customer’s CVV, you have a PCI compliance problem no matter the measure of protection or encryption you’ve built. Make sure to build ways to redact this type of information either post-call or during the transaction. Most call recording systems will pause a recording when the agent gets to the payment page of their integrated order entry system.
- Never write down card information on slips of paper.
Sometimes, the old-school methods are the riskiest. Slips of paper can easily be exposed to a data breach. Entering credit card information into a payment processing system ensures the information is in a controlled, gated environment. If you have to write payment information on paper, especially in the event of a system crash, make sure to redact or properly shed the information afterward.
- Provide guardrails and training for employees.
Some call centers employ a no cell phone rule to hamper any unscrupulous agents who may be tempted to take photos of sensitive credit card information. While technology guardrails provide added security, installing a training program on the different needs for PCI compliance and the penalties a breach may bring both on the employee and business level can help all the parties involved understand the severity of PCI compliance mandates.
Phone transaction fraud is a growing risk.
Although the growing eCommerce sector may make telephone transactions seem archaic, some customers still prefer to pay their bills over the telephone, especially in special customer service situations. And due to advanced security technologies developing in e-Commerce, a bevy of fraud activity has migrated towards telephone orders which calls attention to a stronger need for telephone transaction security.
To read an in-depth guide on how to ensure security over telephone transactions, check out this guidebook from the PCI Security Standards Council.
PayGround prioritizes PCI compliance.
PayGround supports customer PCI compliance by offering the tools for healthcare providers to utilize. And with the addition of maintaining HIPAA compliance, payment processing gets a lot less complicated for healthcare organizations.
Simplify Your Payment System Today.