Tony Hansen is a Payment Card Industry Professional (PCIP) at Providence Health Systems. Providence is the third largest not-for-profit health system in the U.S., operating 34 hospitals in five states. Earlier this year, Tony met with a group of Epic Users about the importance of EMV and how encryption helps reduce PCI scope and protect against the threat of fraud and stolen personal data.
Below are the insights and advice Tony shared regarding some of the most frequently asked questions about this topic.
Question: What is PCI compliance?
Tony: The Payment Card Data Security Standard (PCI DSS) is a set of requirements designed to ensure all companies that process, store or transmit credit card information maintain a secure environment. PCI has six goals, 12 requirements and nearly three hundred sub-requirements – and it keeps growing larger. It’s also more prescriptive than HIPAA. You must meet each sub-requirement or you’re not compliant.
Q: What determines an organization’s PCI scope?
Tony: Any transaction where a person does not have access to the data being processed is out of PCI scope. So think about all of the point of service (POS) stations in your organization. At Providence, we not only have POS stations where we take payments for healthcare services, we also have cafeterias, gift shops, guest houses, daycare centers, foundations and retail pharmacies, as well as Subway and Starbucks franchises. That’s a lot in credit card payments.
Q: How does being equipped to accept EMV (chip cards) protect my healthcare organization?
Tony: EMV verifies in card-present, face-to-face transactions that a card is valid and was not created with stolen card data. The chip on the card creates a dynamic piece of data that speaks to the card issuer during a transaction, enabling the issuer to recognize the card, authenticating it. As of October 1st, if you accept a fraudulent card on a non-EMV capable device, you will not be reimbursed for that fraudulent transaction. Additionally, your clinical systems can use a risk-based implementation schedule, because they are low risk for fraud.
Q: So, being prepared for EMV will reduce PCI scope?
Tony: No, EMV does not reduce PCI scope. EMV is great at reducing fraud in face-to-face card-present transactions, but it does nothing to reduce PCI scope. Where all healthcare organizations really need to get to is point-to-point encryption (P2PE). P2PE encrypts card data at the point of entry and keeps it encrypted until it reaches a secure endpoint. Because transactions with P2PE are never readable – no person has access to the data being processed – those transactions have reduced scope for PCI.
Q: How can healthcare organizations reduce PCI scope?
Tony: The best way to reduce PCI scope is to not transmit, process or store credit card data in your environment. Find a payment vendor that can help you remove it through P2PE and tokenization. It is important to work with partners who understand the unique challenges of working with healthcare companies, which face HIPAA compliance challenges as well as PCI. Also, be aware that trusting vendors who self-attest to being compliant can be dangerous, so you should validate your vendor’s compliance credentials on the PCI website.
Since we took these steps with our clinical systems at Providence, we are confident that every payment transaction that occurs is protected and compliant, allowing us to focus on delivering compassionate care that’s accessible for all.
The security of InstaMed solutions have been validated by Coalfire Systems, Inc., a respected PCI Payment Applications – Qualified Security Assessor in the Security and Encryption in Healthcare Payments White Paper.
Providence Health Systems uses InstaMed as their payment gateway. (Processed by Elavon). InstaMed integrates with their practice management system, Epic.