Since 1977, Kirschenbaum & Kirschenbaum, has provided the highest quality legal advice and services, whether litigous or transactional.
March 18, 2014
By: Ricky Zimmerman (The newest addition to our healthcare department!)
So you want to store your patients’ credit card information to facilitate billing. Great! Doing so will save time and effort on the parts of both your staff and your patients. But you also may have heard recent stories of credit card information being stolen from such businesses as Sony and Target. Less great! So what can you do to make sure that your business isn’t the next one in the news?
Luckily, there are established guidelines to help you keep your patients’ information safe and minimize your liability in the event that something goes wrong. The major credit card companies have collaborated on a set of guidelines that reflect what they believe are the best practices for safely storing card information, called the Payment Card Industry Data Security Standard (PCI-DSS). These practices are actually “mandatory” according to the PCI, but because enforcement is left to the credit card companies themselves, you’re unlikely to encounter a problem simply for not complying.
When you can run into problems, however, is in the event of a security breach. If patient credit card information is stolen from your office, you need to be able to show that you did everything you could to keep it from happening. That’s where the PCI standards come into play. The PCI-DSS consist of 12 steps for keeping customer credit card information safe. Those steps are:
If your office holds onto credit card information, then you’re probably already complying with most of these steps. Everyone knows that you need a firewall and anti-virus software, and that the password to your credit card library probably shouldn’t be “12345.”
But the trickiest of the above requirements is probably number 3 – Protect stored cardholder data. Beyond what the other steps recommend, what does that mean? While protecting stored cardholder data is somewhat of an amorphous – and redundant – mandate, the PCI has outlined several suggestions for how to get started. Those suggestions include storing as little information as possible (for example, you should never store a patient’s PIN or CVV number), deleting information as soon as it’s no longer needed, and masking the card number when it’s displayed onscreen.
Once you’ve followed those instructions as best you can, the next step is validation. The PCI instructs that businesses who store credit card data need to validate their compliance with the PCI-DSS in one of two ways: 1) businesses performing over 1 million credit card transactions per year should have an on-site audit of their PCI compliance each year, and 2) businesses who fall short of that threshold should submit an annual self-assessment of their compliance, signed by a corporate officer. Validating your compliance with the PCI standards adds another layer of protection for you in the event that your office’s information storage policies come under scrutiny.
Here are some general questions to ask regarding your retention of payment information: Why are we taking the information? How are we storing it? Who has access? What’s the process for deletion once it’s no longer needed? There are no ideal answers to these questions, but the goal is for your office policies to make the information as safe as reasonably possible while it’s in your care. The PCI guidelines can help you make good decisions about the information you store, but the most important thing is to use common sense. Think hard about the payment data you take possession of, and do everything you can to keep it safe. Your patient’s will thank you.
If you have any questions about maintaining credit cards, please do not hesitate to contact Ricky (516 747 6700 x. 306) or Jennifer at x. 302.