6 Things Your Practice Needs to Know About PCI
Your patients have to get their yearly check-ups, and so does your practice. PCI is all about keeping your practice secure and safe for cardholders (your patients!). All businesses that accept credit cards have to complete a yearly Payment Card Industry (PCI) Self-Assessment Questionnaire. Depending on how you accept credit card payments, there are between 14 and 329 requirements. For your convenience, we've highlighted the top 6 requirements that healthcare providers should be aware of.
1. Payment information being sent by mail must have a tracking number Req. 9.6.2b
When collecting patient payments, most practices will send out paper statements with an option for patients to pay their bill by mailing in credit card information to the practice. This is not the most secure method for patients information, so tracking information must be available.
Why: Mail can be stolen or lost in transit from patient to practice.
2. Don't store patient payment information internally in electronic format Eligibility question
It may be tempting to electronically store patient's card information in a program such as Excel for easy access to run monthly recurring payments. According to PCI this is a big mistake. Why? Excel is an unsecure and unencrypted method of storing payment info. Example, if a hacker were to access your computer, they would be able to steal the Excel file with your patient's payment info.
Recommendation: Work with a PCI validated vendor who is able to tokenize and store payment info on their servers.
3. All media is physically secured Req 9.5
Speaking of paper copies, all media, including paper records and removable electronic data must be physically secured. Lock up those binders and flash drives!
Recommendation: Don't leave documents containing sensitive information out in the open where someone could walk off with them.
4. Credit card information should never be emailed Req. 4.2b
The PCI self-assessment requires policies to be in place that state that unprotected personal account numbers are not to be sent via end-user messaging technologies such as Skype and email. Make sure that your staff is clear on these policies.
Recommendation: Offering online bill pay to your patients keeps card information out of your system.
5. Each user must have their own unique user ID Req. 8.1.1
To access systems that hold patient card data, each user must have their own unique user ID. This will keep track of who is accessing data at specific times and will protect both your staff as well as your patients.
Bonus: Having unique ID's helps track who is taking payments in your practice in case a question arises.
6. Terminate remote connections when not in use Req. 8.1.5a
Do you have an offsite IT support technician that can provide remote assistance? Make sure you terminate the connection when it is no longer needed.
Why: Leaving a connection open is like leaving your front door open, a hacker could come in and compromise your practice's and patient's data
For more information on PCI and self-assessment questionnaires, visit the PCI Security Standards Council website.
Tired of PCI SAQ's? Check out Corral Solutions to find out how we can help eliminate your practice's need to worry about PCI compliance