In healthcare, selecting a vendor to work with is a serious process that should not be taken lightly. It is important to research vendors and choose the right one, as you will be working with this vendor for many years to come. A major factor in your decision process should be the security and compliance certifications that your eligible vendors have earned. It is important to make sure that the payment vendors you decide to work with have the right certifications to meet the security and compliance standards that your business demands, and that these certifications are current and updated on a regular basis. Your vendors need to keep healthcare and payments under control.
Here are the certifications you need to consider when selecting a healthcare payment vendor:
The HITRUST CSF is a certifiable framework that offers organizations a comprehensive, flexible and efficient approach to regulatory compliance and risk management. When a vendor obtains CSF Certified status, it indicates that their organization has met industry-defined requirements and is appropriately managing risk, and is part of an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps healthcare organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
A vendor must go through a multi-step process to achieve HITRUST certification. After the initial certification process, vendors must go through interim assessments to ensure they are maintaining the levels of security that enable them to uphold HITRUST certification.
The Payment Card Industry (PCI) Data Security Standards (DSS) apply to all persons and entities that are associated with payment cards, including merchants of all sizes, financial institutions, point-of-sale vendors and hardware and software developers who create and operate the global infrastructure for processing payments. With credit card payments, including the steady increase in consumer out-of-pocket healthcare costs, healthcare organizations and the vendors they work with are included in the reach of the PCI DSS.
Healthcare organizations need to ensure they are PCI compliant, meaning they are able to accept payment card payments in a compliant way. The best way to ensure PCI compliance is to pick a payment vendor that is PCI Level One Certified. This ensures their PCI compliance. To become PCI certified, a vendor needs to be audited by a third-party quality security assessor (QSA).
PCI P2PE v2.0
Healthcare organizations that collect payment at point-of-sale locations need to leverage point-to-point encryption (P2PE) to ensure payment card data is protected. P2PE is a methodology for securing credit card data by encrypting it from the time a card is swiped or keyed until it reaches a secure endpoint where it is decrypted. Without P2PE, payment card data is vulnerable to breaches as it is in transit during the payment process. Additionally, leveraging P2PE will significantly reduce your PCI scope.
A lot of payment vendors talk about P2PE as it’s a must-have for healthcare organizations. However, keep in mind that only solutions listed on the PCI SSC website have been audited and approved by the PCI Council as a P2PE Validated solution.
If it’s time for your organization to consider a new healthcare payment vendor, choose a vendor with the above certifications. This will ensure that you’ve made the best decision for payment security and compliance at your organization.