What the Heck?! I Thought We Were PCI Compliant?
Okay, answer honestly. Has that exclamation ever gone through your mind after noticing non-compliance fees on your healthcare organization’s merchant services bill? From our experience, this is often the point where one of two things happen.
Scenario #1 – After a bit of shock, the customer contacts Wind River Financial. What follows is a discussion surrounding what needs to be done to become PCI compliant and how to avoid non-compliance fees in the future. We’ll mention services such as the Advanced Security Package, which were designed to help healthcare organizations (as well as other customers) take a giant step toward compliance. Afterwards, the customer hangs up, takes a deep sigh of relief and proceeds with their day, knowing that things are looking up.
Scenario #2 – After a bit of shock, the customer glances around the room, thinks “not my monkeys, not my circus,” and proceeds to pay the bill, leaving the fallout for whomever is next to notice that the organization is not PCI compliant.
Our goal, obviously, is to avoid that second one (and it happens far more often than you’d think).
First off, let’s break down quickly just what non-compliance fees are. Non-compliance fees are put into place for several reasons. When a company is not compliant, there is a lot of risk involved for both the company and their payment processor. Data breaches are on the rise, and healthcare organizations are a favorite target due to the lucrative nature of the data stolen. The major card brands and government entities can and will fine a payment processor if minimum standards are not met, and those non-compliance fees are meant to offset some of that cost.
Additionally, we use non-compliance fees to provide support and guidance to help encourage our customers to stay on the path to compliance. A lot of infrastructure is required to maintain a secure network, protect data and create policies to uphold security programs, and non-compliance fees are used to fund those programs.
The important thing to notice though, is that these fees are put in place to protect the payment processor. Your business itself is still on the hook for any repercussions, monetary and regulatory, that would come your way in the case of a breach. We don’t want this! Our goal is to get you back on the path to compliance.
Now that we understand that a little better, what do you do next? Let’s tackle a few of the things we hear and what you can do to rectify the situation.
Oftentimes, once non-compliance is determined, the next thing we hear is, “Well, who’s responsible?” Since patient payments touch multiple departments and outsourced vendors, it’s not surprising to learn that no single person has leadership responsibility over the entire merchant services program. In these scenarios, the PCI compliance process is lost, non-compliance fees are assessed, and most importantly, if a data breach occurs, your organization has opened itself up to higher card brand fines by showing no effort.
SOLUTION – Start by asking a few questions. Who is responsible for the entire credit card processing relationship? Who is responsible for ensuring PCI compliance? If no such person exists in the organization, it’s time to delegate the responsibility. You’ll find it is a lot easier to maintain compliance when someone is piloting the ship. Also, ask yourself if you have current PCI compliance certificates for all your payment channels, including areas such as your gift shop and cafeteria. It should be the new responsible party’s duty to ensure that each of these channels is accounted for.
We’re HIPAA Compliant, So We Should Be Secure
This is a common myth that gets brought up way too often. Many organizations believe they qualify for PCI compliance if they are HIPAA compliant. The logic goes that since HIPAA compliance is more important and stringent, PCI compliance just comes along with the process. Unfortunately, this isn’t true. While the tools deployed for each of these programs can complement the other’s efforts, HIPPA compliance does not guarantee PCI-DSS compliance. HIPPA was created to protect patient health information and patient records. PCI is focused on payment data.
SOLUTION – Shift your thinking and evaluate the tools you have in place. The entire team needs to have clarity on the processes used to secure payment data and how they are similar AND different than those that are required for HIPAA compliance. Ensure that your policies are up-to-date, and evaluate the tools that you are using. For example, file integrity monitoring and encryption hardware should be in place. Wind River’s Advanced Security Package has 13 different tools that can be deployed. Find out what your merchant services provider can offer.
The Rules are Always Changing
Although this may be true, this is not a reasonable reason to forego PCI compliance. According to a 2018 Trustwave Global Security report, “a healthcare record for a single targeted individual fetched an average $250, with some offerings going for significantly more.” No wonder the bad guys are relentless. There’s money to be made. And because of that, the rules need to keep pace to ensure you and your patients are protected. This creates a daunting process. Daunting, but not impossible. While most changes are announced in advance, some are enacted with little notice. Either way, the responsibility falls on the healthcare organization to keep up.
SOLUTION – This is where we come in! Work with your merchant services provider. They’re there to help you with this process. (And if they’re not, it’s time to find a new one. Might we suggest Wind River Financial?) A member of their security team can help you gain valuable insight on any changes taking place. Additionally, the PCI Security Standards Council website has a plethora of information.
These are just some high-level solutions to help your organization get back on the path to PCI compliance. The process can be convoluted, but the benefits to staying on track are significant. And you’re not alone in the process. Your merchant services provider is there to help you, especially since they have as much skin in the game as your organization does. If you have questions about how to proceed from this point, we’d be happy to help you. Let us know what’s holding you back from compliance, and we can help you develop a strategy to get you where you need to be.
Remember, as more patients pay with a debit or credit card, the higher your risk becomes.