A primer for emergency departments to stay in PCI compliance without adding more work to anyone’s plate.
In addition to the HIPAA rules your emergency department must follow, your ED should also consider compliance with credit card security requirements mandated by the Payment Card Industry Security Standards Council (PCI SSC).
These rules and regulations may protect both businesses and patients from data breaches, but they can also be overwhelming to create and maintain.
This resource will break down everything you need to learn to protect your EM staff and patients.
First, What is PCI Compliance?
The Payment Card Industry (PCI) Security Standards Council was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc., as a way to standardize security practices for organizations taking card payments.
The PCI Council[*]:
- Sets operational and technical requirements.
- Makes rules software developers and manufacturers of applications and devices used in those transactions must follow.
- Holds organizations accountable via PCI compliance validation.
The payment card security requirements published by the Council are known as the PCI Data Security Standards (PCI DSS).
It’s important for every emergency medicine group responsible for the security of cardholder data to diligently follow the PCI DSS guidelines for payment capture devices and payment applications.
When you’re compliant, you’re part of the solution — a united, global response to fighting payment data compromise.
And when you’re not, your ED could face serious penalties and consequences.
What Happens If Your ED Is Not PCI Compliant?
By regulation, all businesses that store, process, transmit, or affect the security of payment card data are required by their banks, payment gateways, or card brands to comply with the published PCI requirements.
These PCI standards apply to your ED’s:
- Card readers
- Point-of-sale systems
- Networks and wireless access routers
- Online payment applications
- Payment card data storage and transmission
- Payment card data stored in paper-based records
If your group violates PCI compliance standards, you may face:
- Between $5,000 and $100,000 per month in fines. The big five credit card companies may impose regulatory fines your acquiring bank will need to pay. Your bank will then pass this cost down to you.
- Costly expenses from forensic audits, card replacement costs, and settlements and judgments in the event of a breach.
- Higher fees per each transaction in the future.
- Total revocation of your group’s ability to accept and process payment cards. Credit card companies and banks may terminate contracts after a breach or violation.
- Loss of brand reputation, patient confidence, and industry trust.
Your first task is to create policies to safeguard this information.
But you’ll also need to identify areas for potential vulnerabilities, such as weaknesses in your network or easy access to paper records, if you want to become PCI compliant.
How to Become PCI Compliant
You’ll find a 12-Step PCI Compliance Checklist of global data security standards all entities that process, store, or transmit cardholder data must adopt on the PCI Security Standards website[*].
These steps include everything from adding firewalls and encrypting transmissions to restricting access to cardholder information and more.
Read all 12 steps to become PCI compliant in this free whitepaper!
When you follow these steps to keep your ED group in compliance, you’ll then need to prove it to the Council.
What It Takes to Validate Your EM Group’s PCI Compliance
The requirements for PCI compliance validation depend on what’s known as your Merchant Level.
Merchant Levels vary by card brand and are determined by the number of individual transactions (not the dollar amount) each business makes per year:
Level | Visa | Amex | MasterCard | Discover |
1 | Over 6 million | Over 2.5 million | Over 6 million | Over 6 million |
2 | 1 – 6 million | 50K – 2.5 million | 1 – 6 million | 1 – 6 million |
3 | 20K – 1 million | 10K – 50K | 20K – 1 million | 20K – 1 million |
4 | Under 20K | Up to 10K | All others | All others |
Most EDs fall under the Level 4 Merchants umbrella, which means they process between 10,000 and 20,000 card transactions annually.
Once you establish your specific Merchant Level, you’ll need to match it up with the PCI validation requirements per each card company:
Level | Visa | Amex | MasterCard | Discover |
1 |
|
|
|
|
2 |
|
|
|
|
3 |
| (Annual Self- Assessment Questionnaire and Quarterly Network Scan, may be mandatory at American Express’ discretion) |
|
|
4 | Validation requirements set by acquiring bank | (Annual Self- Assessment Questionnaire and Quarterly Network Scan, may be mandatory at American Express’ discretion) | Validation requirements set by acquiring bank | Validation requirements set by acquiring bank |
Use this key to understand what those acronyms mean:
- ROC: Report Of Compliance
- QSA: Qualified Security Assessor, a certification issued by the PCI SSC
- ISA: Internal Security Assessor, a certification issued by the PCI SSC
- ASV: Approved Scanning Vendor, an entity approved by the PCI SSC to perform external vulnerability scans
- SAQ: Self-Assessment Questionnaire, a document published by the PCI SSC
ED groups in the Level 3 and Level 4 tiers need to complete self-assessment questionnaires and quarterly network and vendor scans.
These vulnerability scans use an automated tool to identify devices on your network that are open to known vulnerabilities, or those of your service provider. The idea is to use these tools to identify and fix weaknesses before other people have a chance to compromise your stored cardholder data.
If all these steps and follow-through seem like something you don’t have the time or resources to handle, there is another choice.
Using a third-party to manage your PCI compliance needs may not only take the task off your plate, but it may also reduce your risk exposure and make it easier for your ED to validate your compliance efforts.
How DuvaSawko Helps Your Emergency Department Stay PCI Compliant
DuvaSawko knows you need to ensure the security and privacy of your business and your patients’ confidential information.
That’s why we help emergency medicine groups by acting as a Service Provider as a subset of our larger Revenue Cycle Management services.
In other words, our payment services handle your patients’ payment card data in a manner which meets many PCI DSS requirements on your behalf.
DuvaSawko partners with Authorize.net and other PCI-compliant service providers so PCI compliance is maintained throughout your entire payment acceptance process, including:
- Your online patient portal
- Over the phone
- By postal mail
Click here for details about this PCI-compliant process in our free PCI compliance whitepaper!
So when your EM group undergoes your PCI compliance validation, DuvaSawko will be considered your PCI-compliant Service Provider and help make the process as smooth as possible.
During your onboarding as a Revenue Cycle Management client, you’ll receive documentation available to assist your PCI compliance validation process, including a:
- PCI Attestation of Compliance for Service Providers (AOC), which states that DuvaSawko has undergone a PCI assessment and is compliant with all applicable PCI DSS requirements.
- PCI Responsibilities Matrix, which shows which PCI DSS requirements are DuvaSawko responsibilities, which PCI requirements are your EM group’s responsibilities, and which PCI requirements have shared responsibility. In the case of shared responsibilities, they are clearly defined as to which entity is responsible.
When completing the SAQ, all you need to do is compare the DuvaSawko-supplied PCI Responsibilities Matrix to the mandated requirements.
Any requirement listed as a DuvaSawko responsibility in the Matrix can be marked as “In Place” on the SAQ, which means you’ll be considered in compliance.
Rest assured knowing we’re handling our end of your PCI compliance strategy while you focus on a smaller list of responsibilities.
With secure systems and processes in place, your patients will trust you with their sensitive payment card information and PCI compliance will no longer seem so overwhelming.
For a more in-depth look at PCI Compliance, please download our comprehensive PCI Compliance Whitepaper HERE!
Subscribe To The DuvaSawko Blog
Stay Up To Date With The Latest In ER Practice News & Information
start an emergency department medical practice - 6 easy steps
Popular blogs
Consequences of Medical Coding & Billing Errors & How to Avoid Them
Denials in Medical Billing: How to Play Nice with Insurance Denials
