The Effects Of PCI Compliance On Healthcare

March 01, 2018

In the early ‘00s, Visa, Mastercard, American Express, Discover, and JCB united to form the Payment Card Industry Security Standards Council (PCI SSC). Their goal: to create standards that protect cardholder data and reduce credit card fraud. With combined effort, the most important payment card organizations uphold the Data Security Standard (DSS), which forces merchants to comply with security rules or denies merchants the ability to accept payment cards.

Healthcare providers are subject to all sorts of security standards, the DSS among them. Thus, healthcare providers should be aware of how the PCI DSS affects the industry.

How to Become PCI Compliant

There are 12 relatively simple requirements for becoming PCI-compliant:

  • Maintain a firewall
  • Do not use vendor defaults for passwords and other security parameters
  • Protect stored data
  • Encrypt transmission of data across public networks
  • Use and update antimalware software
  • Maintain secure systems and apps
  • Assign unique user IDs to anyone with device and network access
  • Restrict digital access to cardholder data
  • Restrict physical access to cardholder data
  • Monitor all access to network and cardholder data
  • Test security systems and processes
  • Maintain a security policy and educate users

There are four levels of compliance that determine how closely a healthcare provider is monitored for PCI compliance. For example, a level 1 merchant should have an internal auditor assess PCI compliance annually, undergo a quarterly network scan, and complete an attestation of compliance while a level 4 merchant performs a self-assessment questionnaire and attests compliance. The levels are dependent on volume of transactions: Larger organizations with more patients must take greater pains in protecting their data. Unfortunately, the more compliant an organization must be, the higher the costs of maintaining compliance.

The Costs of PCI DSS Compliance

The PCI DSS offers a useful estimation of costs for compliance to help organizations better structure their security budgets. Depending on an organization’s compliance level, it can expect to pay:

  • Level 1: $22,000-$50,000
  • Level 2: $15,000-$40,000
  • Level 3: $10,000-$30,000
  • Level 4: $5,000-$10,000

These include the costs of services to ensure security standards and performing the assessments that earn compliance labels. Just as before, smaller organizations tend to pay less to maintain compliance because they have less cardholder data to keep safe.

Though healthcare providers do not have any unique PCI requirements, they do typically have alternate security concerns that compound security costs. For example, The Health Insurance Portability and Accountability Act (HIPAA) demands physical and technical safeguards around patient data not unlike those imposed by the PCI DSS on cardholder data. Thus, healthcare providers must

Of course, failing to be PCI-compliant costs, too. In the past, healthcare providers were not prime targets for PCI audits, but because more health-related bills are being paid by credit — and since more healthcare providers are storing cardholder data on local PCs — hospitals and other facilities are suffering more and more cyberattacks. Thus, more healthcare providers have suffered fines for PCI non-compliance, which can range from $5,000 to $500,000. Worse, a data breach can lose a healthcare provider the trust of its credit-paying patients, which will degrade its reputation and lose income. PCI compliance is the only viable outcome — and, fortunately, there are a few paths to get there.

Top DSS Compliance Solutions

Without doubt, the best PCI compliance solution for healthcare providers is the adoption of a semi-integrated payment architecture. Unlike traditional fully integrated payments, semi-integrated payments allow cardholder data to skip several steps in traveling from the payment portal to the transaction processor. Thus, healthcare providers (and other merchants) can reduce the scope of their compliance, thereby reducing the associated costs. Used in tandem with point-to-point encryption — which renders cardholder data useless to anyone who intercepts it — semi-integrated payments can make PCI compliance simple.

Everyone suffers when cardholder data is stolen — vendors lose credibility and respect, payment card companies lose money, and consumers lose nearly everything, from cash and credit score to time and access to their means of payment. More often, patients are paying healthcare bills using credit, which means healthcare providers must be able to accept credit cards if they want remuneration for their services. Compliance with the PCI DSS is the only way to safely and certainly accept major credit cards. Fortunately, PCI compliance doesn’t have to be a catastrophic headache. Semi-integrated payments and other solutions ensure healthcare providers and patients receive the data protection they need for safe, secure transactions.

Jackie is a content coordinator and contributor who creates quality articles for topics like technology, business and education. She studied business management and is continually building positive relationships with the internet community.

Overlay Init

Curated By Logo