The Stress-Free Way to Keep Your Independent EM Group PCI Compliant

A primer for emergency departments to stay in PCI compliance without adding more work to anyone’s plate.

The Stress-Free Way to Keep Your Independent EM Group PCI Compliant

In addition to the HIPAA rules your emergency department must follow, your ED should also consider compliance with credit card security requirements mandated by the Payment Card Industry Security Standards Council (PCI SSC).

These rules and regulations may protect both businesses and patients from data breaches, but they can also be overwhelming to create and maintain.

This resource will break down everything you need to learn to protect your EM staff and patients.

First, What is PCI Compliance?

The Payment Card Industry (PCI) Security Standards Council was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa Inc., as a way to standardize security practices for organizations taking card payments.

The PCI Council[*]:

  • Sets operational and technical requirements.
  • Makes rules software developers and manufacturers of applications and devices used in those transactions must follow.
  • Holds organizations accountable via PCI compliance validation.

The payment card security requirements published by the Council are known as the PCI Data Security Standards (PCI DSS).

It’s important for every emergency medicine group responsible for the security of cardholder data to diligently follow the PCI DSS guidelines for payment capture devices and payment applications.

When you’re compliant, you’re part of the solution — a united, global response to fighting payment data compromise.

And when you’re not, your ED could face serious penalties and consequences.

What Happens If Your ED Is Not PCI Compliant?

By regulation, all businesses that store, process, transmit, or affect the security of payment card data are required by their banks, payment gateways, or card brands to comply with the published PCI requirements.

These PCI standards apply to your ED’s:

  • Card readers
  • Point-of-sale systems
  • Networks and wireless access routers
  • Online payment applications
  • Payment card data storage and transmission
  • Payment card data stored in paper-based records

If your group violates PCI compliance standards, you may face:

  • Between $5,000 and $100,000 per month in fines. The big five credit card companies may impose regulatory fines your acquiring bank will need to pay. Your bank will then pass this cost down to you.
  • Costly expenses from forensic audits, card replacement costs, and settlements and judgments in the event of a breach.
  • Higher fees per each transaction in the future.
  • Total revocation of your group’s ability to accept and process payment cards. Credit card companies and banks may terminate contracts after a breach or violation.
  • Loss of brand reputation, patient confidence, and industry trust.

Your first task is to create policies to safeguard this information.

But you’ll also need to identify areas for potential vulnerabilities, such as weaknesses in your network or easy access to paper records, if you want to become PCI compliant.

How to Become PCI Compliant

You’ll find a 12-Step PCI Compliance Checklist of global data security standards all entities that process, store, or transmit cardholder data must adopt on the PCI Security Standards website[*].

These steps include everything from adding firewalls and encrypting transmissions to restricting access to cardholder information and more.

Read all 12 steps to become PCI compliant in this free whitepaper!

When you follow these steps to keep your ED group in compliance, you’ll then need to prove it to the Council.

What It Takes to Validate Your EM Group’s PCI Compliance

The requirements for PCI compliance validation depend on what’s known as your Merchant Level.

Merchant Levels vary by card brand and are determined by the number of individual transactions (not the dollar amount) each business makes per year:

Level

Visa

Amex

MasterCard

Discover

1

Over 6 million

Over 2.5 million

Over 6 million

Over 6 million

2

1 – 6 million

50K – 2.5 million

1 – 6 million

1 – 6 million

3

20K – 1 million

10K – 50K

20K – 1 million

20K – 1 million

4

Under 20K

Up to 10K

All others

All others

 

Most EDs fall under the Level 4 Merchants umbrella, which means they process between 10,000 and 20,000 card transactions annually.

Once you establish your specific Merchant Level, you’ll need to match it up with the PCI validation requirements per each card company:

Level

Visa

Amex

MasterCard

Discover

1

  • RoC by QSA or company internal audit if signed by company officer
  • Quarterly ASV scans
  • RoC by QSA or company internal audit if signed by company officer
  • Quarterly ASV scans
  • RoC by QSA or company internal ISAs, if signed by company officer
  • Quarterly ASV scans
  • RoC by QSA or company internal audit
  • Quarterly ASV scans

2

  • SAQ signed by company officer
  • Quarterly ASV scans
  • SAQ signed by company officer
  • Quarterly ASV scans
  • Optional RoC by QSA
  • SAQ by QSA or ISA
  • Quarterly ASV scans
  • SAQ
  • Quarterly ASV scans

3

  • SAQ
  • Quarterly ASV scans

(Annual Self- Assessment Questionnaire and Quarterly Network Scan, may be mandatory at American Express’ discretion)

  • SAQ
  • Quarterly ASV scans
  • SAQ
  • Quarterly ASV scans

4

Validation requirements set by acquiring bank

(Annual Self- Assessment Questionnaire and Quarterly Network Scan, may be mandatory at American Express’ discretion)

Validation requirements set by acquiring bank

Validation requirements set by acquiring bank

 

Use this key to understand what those acronyms mean:

  • ROC: Report Of Compliance
  • QSA: Qualified Security Assessor, a certification issued by the PCI SSC
  • ISA: Internal Security Assessor, a certification issued by the PCI SSC
  • ASV: Approved Scanning Vendor, an entity approved by the PCI SSC to perform external vulnerability scans
  • SAQ: Self-Assessment Questionnaire, a document published by the PCI SSC

ED groups in the Level 3 and Level 4 tiers need to complete self-assessment questionnaires and quarterly network and vendor scans.

These vulnerability scans use an automated tool to identify devices on your network that are open to known vulnerabilities, or those of your service provider.  The idea is to use these tools to identify and fix weaknesses before other people have a chance to compromise your stored cardholder data.

The Stress-Free Way to Keep Your Independent EM Group PCI Compliant

If all these steps and follow-through seem like something you don’t have the time or resources to handle, there is another choice.

Using a third-party to manage your PCI compliance needs may not only take the task off your plate, but it may also reduce your risk exposure and make it easier for your ED to validate your compliance efforts.

What It Takes to Validate Your EM Group’s PCI Compliance

DuvaSawko knows you need to ensure the security and privacy of your business and your patients’ confidential information.

That’s why we help emergency medicine groups by acting as a Service Provider as a subset of our larger Revenue Cycle Management services.

In other words, our payment services handle your patients’ payment card data in a manner which meets many PCI DSS requirements on your behalf.

DuvaSawko partners with Authorize.net and other PCI-compliant service providers so PCI compliance is maintained throughout your entire payment acceptance process, including:

  • Your online patient portal
  • Over the phone
  • By postal mail

Click here for details about this PCI-compliant process in our free PCI compliance whitepaper!

So when your EM group undergoes your PCI compliance validation, DuvaSawko will be considered your PCI-compliant Service Provider and help make the process as smooth as possible.

During your onboarding as a Revenue Cycle Management client, you’ll receive documentation available to assist your PCI compliance validation process, including a:

  • PCI Attestation of Compliance for Service Providers (AOC), which states that DuvaSawko has undergone a PCI assessment and is compliant with all applicable PCI DSS requirements.
  • PCI Responsibilities Matrix, which shows which PCI DSS requirements are DuvaSawko responsibilities, which PCI requirements are your EM group’s responsibilities, and which PCI requirements have shared responsibility. In the case of shared responsibilities, they are clearly defined as to which entity is responsible.

When completing the SAQ, all you need to do is compare the DuvaSawko-supplied PCI Responsibilities Matrix to the mandated requirements.

Any requirement listed as a DuvaSawko responsibility in the Matrix can be marked as “In Place” on the SAQ, which means you’ll be considered in compliance.

Rest assured knowing we’re handling our end of your PCI compliance strategy while you focus on a smaller list of responsibilities.

With secure systems and processes in place, your patients will trust you with their sensitive payment card information and PCI compliance will no longer seem so overwhelming.

For a more in-depth look at PCI Compliance, please download our comprehensive PCI Compliance Whitepaper HERE!

Recommended Posts