Credit Card Compliance For Your Practice

April 27, 2017

Processing credit cards leaves the door open for cyber-attacks, here's what physicians need to know.

Most all physicians are familiar with HIPAA and the HITECH Act. But, Complying with the Payment Card Industry Data Security Standards (PCI DSS) is equally important.

As more insurance companies and banks are asking about compliance with various privacy and security laws and regulations, it is imperative that physicians acknowledge some of the same standards that apply to PHI also apply to credit card processing. The Federal Trade Commission has brought actions against a variety of businesses for cybersecurity breaches resulting from the point of sale.

In order to provide more insight, I interviewed Kevin Hodes, best-selling author, PCI DSS industry expert and founder of Swypit, a payment processing software. The following questions and answers are meant to assist physicians and other healthcare entities with PCI DSS compliance.

RR: What are the most common areas of vulnerability associated with credit card processing?

KH: A fundamental area is not meeting the technical specifications, which PCI DSS requires. With the rise of ransomware attacks, this is an increasingly important point of focus, which requires vigilance because the standards are always evolving.

Another area is related to a data back-up plan. A computer system failure can be devastating for your company if you don't have a backup plan to retrieve your company's data. Your computer system may fail for a variety of reasons. A natural disaster may inundate your building. Think of the destruction a storm like Hurricane Katrina could unleash on your building. Fire could wipe out all your servers and computers.

You could also lose your system through man-made actions. Hackers could steal your computer data and hold it ransom until you pay them a significant amount of money. A disgruntled employee may take down your system right before they walk out the door.

RR: Sywpit requires clients to undergo PCI DSS training – why?

KH: Swypit takes privacy and data protection issues very seriously. We understand the importance of confidentiality and trust when handling personal and private financial information. Because of the sophistication of cyber hackers, as well as the risk to the individual's data that is being processed, we require organizations to undergo annual training before they become a client. With the increased government investigations, insurance company requirements, and bank loan questionnaires, it is in everyone's best interest to understand the standards.

RR: What advice do you have for physicians, regardless of their practice size, in order to help thwart the risk of a ransomware or other cybersecurity attack?

KH: As previously mentioned, prevention is crucial. Prevention begins with training, having the right equipment and making sure a data back-up and recovery plan is in place. I have personally helped a physician client through the process. Cyber thieves can intercept and redirect payments, even if a ransom notice is not posted. We recognize that physicians and their patients have an expectation of a right to privacy. Furthermore, we maintain strict standards of security and confidentiality designed to prevent misuse of any information our customers share with us.