Digital Information Technology: PCI Compliance Concerns
If your dental practice is accepting credit card payments from patients, then your practice is required to be PCI compliant. There are a number of standards your company must meet and maintain in order to attain and keep your compliance. In this article we will cover everything from what PCI compliance is to why it is essential for you, as a practice owner, to understand and implement.
If you are feeling overwhelmed by the vast amount of digital information technology required to run your practice, it may be time to consider outsourcing. Download our handy checklist “How To Choose a Managed IT Service Provider” to help guide you to a better solution.
What is PCI Compliance?
In September 2006 American Express, Discover Financial Services, JCB International, and MasterCard and Visa Inc. formed the Payment Card Industry Security Standards Council. Their goal was to create, manage, and ensure merchant compliance of the Payment Card Industry Data Security Standard. PCI DSS is a set of standard practices that seek to protect personal information related to credit cards and credit card transactions.
The goal of PCI DSS is to eliminate vulnerabilities by governing how merchant information is handled. It covers areas such as data storage, how information is processed, and transmission of credit card data, among other areas.
Why is PCI Compliance important?
As long as people pay with credit cards there will be data breaches. According to USA Today, “Billions of people were affected by data breaches and cyberattacks in 2018 – 765 million in the months of April, May and June alone – with losses surpassing tens of millions of dollars….”When you are a PCI-compliant merchant, you are protecting personal consumer information by taking all necessary precautions to reduce the risk of a security breach. This can be accomplished through up-to-date software, frequent security scans, and a well-trained staff that understands the role they play in protecting credit card data.
Who needs to be PCI Compliant?
Every business that participates in an electronic credit card transaction needs to be PCI compliant. All members of the payment card industry (financial institutions, credit card companies) must comply with PCI DSS. Merchants who accept credit card payments must comply with these standards in order to accept credit cards.
What does this mean for my dental practice?
If you, as a merchant, wish to accept patient payments via credit card, you are required by law to be PCI compliant. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards.
Who in the office needs to be compliant?
Anyone in your practice who is accepting payments or accessing patient files that contain credit card information will need to be trained in PCI compliance laws.
What is involved in earning compliance?
Earning PCI compliance depend on the size of your practice and how many credit cards transactions you process on an annual basis. The Payment Cards Industry Security Standard Council website details how to go about becoming a PCI-compliant merchant. Here are the steps your practice should take to determine what you will need to do to attain PCI merchant compliance:
Determine which Self-Assessment Questionnaire (SAQ) your business should use to validate compliance (refer to the transaction chart).
Complete the Self-Assessment Questionnaire.
Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV) when applicable. Note scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
Consult your IT partner for guidance and recommendations.
What does it cost to be PCI Compliant?
Since the level of PCI compliance needed by each merchant depends on multiple factors, costs can vary greatly from case to case. Some factors that come into play for calculating the cost of PCI compliance are:
Number of transactions processed: The total number of credit card transactions that your company transmits annually will dictate the level of compliance
Business type: The size of your business will determine compliance cost. Small companies will have a lower compliance price tag than a large corporation.
Number of employees: As mentioned before, anyone that is coming into contact with credit card information will need to be trained. The size of your staff will dictate your training budget and in some cases the need for your IT partner to be present.
Senior leadership: If your leadership team (owners, associate dentists) does not implement PCI-compliant practices, then your practice would be subject to fines.
Physical environment: The location, type, and configuration of your hardware (whether onsite or offsite) can all impact the costs of compliance. Other factors related to physical environment can also have an impact. If your employees work remotely, your compliance costs could be higher. Bring-your-own-device (BYOD) workplaces may also face greater risks, particularly if employee-provided mobile devices are used to process and store card transactions.
Hardware: all equipment used to run credit card information will need to be PCI compliant. If you have a high volume of card processing equipment and/or multiple ways of processing transactions, you will likely be spending more money as more equipment means more vulnerability.
Inhouse PCI knowledge: Depending on the size of your practice you may consider contracting someone with PCI knowledge or for larger practices bringing someone in house.
PCI fees: if you are not compliant you are subject to monthly fees.
Qualified Security Assessments: Participating in audits is part of being a PCI-compliant merchant. The size of your company will dictate the fees; smaller companies require a less intensive audit and in turn will cost less.
With so many variables to consider, PCI compliance can range from less than 10K a year to over 1M a year. However, for most small businesses you will likely fall into the less than 10K a year range.
What is involved in maintaining my practice’s PCI compliance?
Maintaining compliance between assessments requires constant maintenance. This can be achieved by keeping software updated, running regular network scans, security audits, and keeping staff informed. You should also maintain a secure network in-house. Although it is possible to maintain a secure network without outsourced help, it will be tough while you are focusing on patient care. There are many anti-virus software programs available to help you scan your system and countless online resources to guide you on maintaining a secure network. At Integrity Systems we always recommend consulting a professional when it comes to something as important as PCI compliance.The fines for being non-compliant could have a devastating effect on a practice of any size.
Protecting your user data is an ongoing concern in maintaining PCI compliance. Some simple and effective ways to protect your user data and maintain your PCI Compliance include:
Maintaining a secure network (see above)
Placing sensitive patient information such as name or address behind a firewall
Using access control measures in the office which assigns a unique identification to each staff member who has access to patients’ payment information
Educate your staff and ensure that they are aware of security measures and the role they must play to maintain PCI compliance. This is essential even for staff members who are not required to obtain compliance certification.
Creating and maintaining the RIGHT policies and procedures regarding PCI compliance is critical to properly protect your patients’ data. As the practice owner or office manager it is essential that you become educated about PCI compliance and in turn, educate your team. Establishing best practices and policies for your dental practice is a simple and easy way to ensure PCI compliance for the long term.
Start by identifying what level of compliance is required of your company. Extract all requirements for your level of compliance and use this as the foundation for your policy. Familiarize yourself and your team with PCI DSS policies. Incorporate PCI compliance standards into your practice’s daily routine. Keep track of how credit card companies are ranking you on the PCI compliance scale.
PCI compliance is a requirement for dental offices, and all businesses, that accept credit card payments. The level of PCI compliance that a practice will need may vary dramatically depending on factors such as annual transactions or number of employees. But no matter what type of compliance your company is required to obtain, it is essential to implement a policy that will help your dental practice avoid security breaches and fines from credit card companies.