Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Technology by Dawn Christodoulou, PEB XLDent President PCI Compliance Standards Changes and How they Affect Your Dental Practice as a Level 4 Merchant I f you accept credit card payments, the Payment Card Industry standards changes published October of last year will affect you in the 2011 implementation year. Be alert to notices you may receive in your Merchant statements, as the industry addresses and attempts to put these standards in place. In addition, be aware that many Merchant Service Vendors may try to win your business on the guise of these new compliance requirements. The PCI Data Security Standard is designed to ensure that secure environments exist for all merchants that process, store or transmit credit or debit card information. The latest revision of the compliance plan requires that all merchants (dental practices included) now follow these requirements to be considered compliant. Previously, compliance and adoption of the standard stopped with the Merchant Service Vendor and did not trickle down to the merchant level. While the process of attaining the status of “PCI Compliant” at the merchant level is Merchant Service Vendor directed, it will be Merchant paced during this period of standards adoption. How long the adoption period will last is uncertain, but compliance will be a prerequisite at some time in the future. Eighty-five percent of data security breaches occur in Level 4 businesses, so smaller merchants must take more accountability for policing themselves. Given the threat of potential security breaches that exists today, I think everyone in the dental industry would agree that it just makes good business sense to take the measures necessary to protect patient card data. As part of the movement to engage merchants in the process of becoming PCI DSS compliant, many Merchant Service Providers are offering their merchants access to Compliance Services as part of their card processing solution. The compliance standard indicates that merchants must complete a Self- 28. Issue 1 2011 CATALYST MAGAZINE Eighty-five percent of data security breaches occur in Level 4 businesses, so smaller merchants must take more accountability for policing themselves. Assessment Questionnaire annually and that they also complete a quarterly Network Scan, as specified by their Service Provider. At present, participation is voluntary (selfpaced), but the associated fee to administer the service is not. As an added incentive to complete the Self-Assessment Questionnaire (SAQ), some Service Providers may discount this PCI Compliance fee. If your Merchant Service Provider does not offer these services, you would need to contract with a Compliance Service Provider directly and navigate the process independently to attain the status of “PCI Compliant.” ControlScan, for example, offers a PCI Compliance Solutions package for $249.00 per year. Obtaining this service through a Service Provider such as TransFirst will reduce that cost to about $75.00–$115.00 per year. ™ CZlI]^c`^c\ #CZlIddah# NdjgK^h^dc^hdjg>ccdkVi^dc Æ>a^`ZMA9ZciWZXVjhZ^iÉhbdW^aZ! hVkZhbZi^bZVcY]Vhi]ZÓZm^W^a^in d[VeVeZgX]Vgil^i]djii]ZeVeZg#Ç :g^X=jciZg!99H ;dXjh^c\dcYZci^hignÉh]^\]iZX]cdad\ncZZYhh^cXZ&.,dbeVi^WaZl^i]L^cYdlh,+)7^i Windows is a registered trademark of Microsoft Corporation in the United States and other countries. 1.800.328.2925 or visit www.xldent.com Technology At first glance, the PCI compliance process seems daunting; but really, it just boils down to 12 requirements.* They are: 1. Install and maintain a firewall all configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords ers. Under HIPAA, you are responsible and other security parameters. nd security of PHI, so network security should for maintaining the privacy and already be a top priority in your office. Reputable Network Service Providers routinely address these elements as part of their offering. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data across open, public networks. If your solution is integrated with your Practice Management software, it is likely that strict security guidelines were followed during the development process to ensure protection of this data. For example, XLDent’s integrated XLCharge solution does not store any card data and completes the entire transaction within a secure payment gateway. 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security *12 requirements and complete PCI DSS Compliance information available at www.pcisecuritystandards.org As a HIPAA covered entity, you must comply with the HITECH Act, so in all likelihood you are already doing most of this. All you have to do to achieve PCI Compliance is extend your security protocols to include cardholder data. 30. Issue 1 2011 CATALYST MAGAZINE In the end, whether self-paced or industry directed, common sense practices just make good business practices. PCI Compliance can help you reduce your risk of security breaches and the potential of fines.