Every month, the Payer Security Focus will break down a different topic in security and compliance with information relevant to payers and actionable steps to help build a more robust security and compliance program at their organizations. This month’s topic is compliance versus security.
- What is the Difference Between Compliance and Security?
To understand the importance of compliance and security in healthcare payments, first let’s clarify the difference between the terms compliance and security. Both are important to healthcare payments, but these two terms are not interchangeable.
Compliance refers to regulatory requirements that must be met by anyone in the healthcare payments process; this includes regulations that may be specific to payments irrespective of healthcare, or vice-versa. Security refers to measures – usually in the form of new technology and best practices – that can be taken to offer layers of protection.
In other words, compliance refers to the things we must do and security refers to the things we should do.
- Why Should Payers Care?
When it comes to compliance and security, the important thing for payers to remember is that one is not contingent on the other. Payers can meet all compliance regulations without being the most secure, or conversely, can leverage the latest advancements in security technology without being compliant. The best way to protect a payer organization is to be both compliant and secure.
- What Are the Challenges to Payers?
Security risks and compliance requirements for healthcare payments are an important part of your risk management strategy. However, if not done correctly, managing them could be a drain on resources for a payer.
- What Are the Benefits to Payers?
Healthcare payments are among the most heavily regulated and scrutinized transactions in any industry, as well as the most targeted by cybercriminals. Payers must have a robust security and compliance program at their organization that takes into account the differences between the two or rely on a payments network that is independently certified and audited at the highest levels available. However, those things are easier said than done. Here are a few examples of compliance regulations and security measures to help payers understand all that they must consider when evaluating whether they are both secure and compliant.
- Compliance Regulations
The Payment Application Data Security Standard (PA-DSS) is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC). It applies to software vendors and others who develop payment applications that store, process, or transmit cardholder data, and/or sensitive authentication data. PA-DSS holds vendors accountable for the payment applications they develop and sell and even requires that vendors guide customers with the implementation and use of those applications.
PCI DSS applies to all entities involved in payment card processing, including merchants, processors, financial institutions and service providers. It also applies to all other entities that store, process or transmit cardholder data or sensitive authentication data. To be PCI compliant, payers should select a secure platform for payments that has achieved and maintains certification for the highest standards in handling both protected health information (PHI) and maintaining the security of financial data exchange.
- Security Measures
Point-to-Point Encryption (P2PE) encrypts a consumer’s payment card information at the point of entry, where the risk of data breach loss is especially high and makes it unreadable until it is decrypted by the payment processor. P2PE significantly reduces PCI scope on merchant networks and systems that healthcare organizations use to collect payments, as well as the likelihood of a payment card data breach.
Europay, Mastercard and Visa (EMV) – also known as chip cards – is a method of payment that integrates a “chip” into a credit card to increase fraud protection for card-present transactions. In healthcare, EMV would offer protection if a patient tried to use a stolen credit card to pay for a co-pay at the point of service. EMV offers an added layer of security, but it does not protect payment data if used alone. To protect payment data, payers must use encrypted EMV technology in the scenario where they accept premium payments in brick-and-mortar locations.
- Compliance Regulations
- Compliance and Security Checklist for Payers
- Download this white paper for a comprehensive guide on compliance and security to promote efficiency and help payers thrive with innovative and secure payment solutions.
- Read next month’s Payer Security Focus where we’ll take a closer look at anti-money laundering laws.