Every month, the Payer Security Focus will break down a different topic in security and compliance with information relevant to payers and actionable steps to help build a more robust security and compliance program at their organizations. This month’s topic is PCI DSS.
- What is PCI?
PCI DSS stands for Payment Card Industry Data Security Standards and applies to all entities involved in payment card processing, including merchants, processors, financial institutions and service providers. It also applies to all other entities that store, process, or transmit cardholder data or sensitive authentication data.
- Why Should Payers Care?
To deliver a streamlined payment experience, payers have begun to allow members to pay providers and make premium payments directly from their portals. If a payer accepts payment cards from members, they and the vendors they work with are included in the reach of the PCI DSS. Therefore, payers are required to maintain PCI compliance for all payment types in healthcare: consumer-to-provider, consumer-to-payer and payer-to-provider.
- What Are the Challenges to Payers?
If a payer does not achieve the appropriate level of PCI compliance, the payment card networks may impose fines or even prohibit the organization from processing payment cards. However, achieving PCI DSS compliance can be very expensive and time-consuming for payers when done in-house. To achieve PCI compliance, an organization must undergo an annual validation by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (RoC) for organizations handling large volumes of transactions.
This assessment includes on-site audits and both internal and external network penetration tests. An organization will need to perform monthly vulnerability scans and continuous system patching and remediation to ensure ongoing compliance. Therefore, the best way to ensure PCI compliance at scale is to pick a trusted payment vendor that is independently audited and certified as a PCI Level One Provider.
- What Are the Benefits to Payers?
Governed by the payment card networks (MasterCard, VISA, AMEX, Discover and JCB), PCI DSS defines the requirements and best practices to reduce fraud and security breaches. PCI compliance is required in order to issue or process payment cards, primarily because the consequences of data breaches are significant. Therefore, many of the requirements for PCI DSS are also good practices that can help prevent a data breach, which can result in significant fines, legal fees and loss of business.
It is important to note that being compliant doesn’t necessarily mean an organization is secure. Put simply, the PCI DSS is a compliance regulation. Encrypting payment cards entered for online premium payments is a security measure.
- PCI Checklist for Payers
- To be PCI compliant, payers should select a secure platform for payments that has achieved and maintains certification for the highest standards in handling both protected health information (PHI) and maintaining the security of financial data exchange.
- For more on PCI compliance and P2PE, download the Security and Encryption in Healthcare Payments white paper published by Coalfire Systems Inc. (Coalfire), a respected PCI Payment Application – Qualified Security Assessor (PA-QSA) company and InstaMed, healthcare’s most trusted payment network.
- Read next month’s Payer Security Focus where we’ll take a closer look at this difference between security and compliance.