Download Technology PCI Compliance Standards Changes and How they

Technology
by Dawn Christodoulou, PEB XLDent President
PCI Compliance Standards Changes
and How they Affect Your Dental
Practice as a Level 4 Merchant
I
f you accept credit card payments, the Payment Card
Industry standards changes published October of last
year will affect you in the 2011 implementation
year. Be alert to notices you may receive in your
Merchant statements, as the industry addresses
and attempts to put these standards in place. In
addition, be aware that many Merchant Service
Vendors may try to win your business on the guise
of these new compliance requirements.
The PCI Data Security Standard is designed
to ensure that secure environments exist for all
merchants that process, store or transmit credit or
debit card information. The latest revision of the
compliance plan requires that all merchants (dental
practices included) now follow these requirements
to be considered compliant. Previously,
compliance and adoption of the
standard stopped with the Merchant
Service Vendor and did not trickle
down to the merchant level.
While the process of attaining the status
of “PCI Compliant” at the merchant level
is Merchant Service Vendor directed, it will be
Merchant paced during this period of standards adoption.
How long the adoption period will last is uncertain,
but compliance will be a prerequisite at some time in the
future. Eighty-five percent of data security breaches occur
in Level 4 businesses, so smaller merchants must take more
accountability for policing themselves. Given the threat of
potential security breaches that exists today, I think everyone
in the dental industry would agree that it just makes good
business sense to take the measures necessary to protect
patient card data.
As part of the movement to engage merchants in the process
of becoming PCI DSS compliant, many Merchant Service
Providers are offering their merchants access to Compliance
Services as part of their card processing solution. The compliance
standard indicates that merchants must complete a Self-
28.
Issue 1 2011
CATALYST MAGAZINE
Eighty-five percent
of data security
breaches occur in
Level 4 businesses,
so smaller merchants
must take more
accountability for
policing themselves.
Assessment Questionnaire annually and that they also
complete a quarterly Network Scan, as specified by their
Service Provider. At present, participation is voluntary (selfpaced), but the associated fee to administer the service is
not. As an added incentive to complete the Self-Assessment
Questionnaire (SAQ), some Service Providers may discount
this PCI Compliance fee. If your Merchant Service Provider
does not offer these services, you would need to contract
with a Compliance Service Provider directly and navigate the
process independently to attain the status of “PCI Compliant.”
ControlScan, for example, offers a PCI Compliance Solutions
package for $249.00 per year. Obtaining this service through
a Service Provider such as TransFirst will reduce that cost to
about $75.00–$115.00 per year.
™
CZlI]^c`^c\ #CZlIddah#
NdjgK^h^dc^hdjg>ccdkVi^dc
Æ>a^`ZMA9ZciWZXVjhZ^iÉhbdW^aZ!
hVkZhbZi^bZVcY]Vhi]ZÓZm^W^a^in
d[VeVeZgX]Vgil^i]djii]ZeVeZg#Ç
:g^X=jciZg!99H
;dXjh^c\dcYZci^hignÉh]^\]iZX]cdad\ncZZYhh^cXZ&.,&#8dbeVi^WaZl^i]L^cYdlhœ,+)7^i
Windows is a registered trademark of Microsoft Corporation in the United States and other countries.
1.800.328.2925 or visit www.xldent.com
Technology
At first glance, the PCI compliance process seems daunting; but really, it
just boils down to 12 requirements.* They are:
1. Install and maintain a firewall
all configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords
ers. Under HIPAA, you are responsible
and other security parameters.
nd security of PHI, so network security should
for maintaining the privacy and
already be a top priority in your office. Reputable Network Service Providers routinely
address these elements as part of their offering.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks. If your solution
is integrated with your Practice Management software, it is likely that strict security
guidelines were followed during the development process to ensure protection of this
data. For example, XLDent’s integrated XLCharge solution does not store any card
data and completes the entire transaction within a secure payment gateway.
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
*12 requirements and complete PCI DSS Compliance information available at www.pcisecuritystandards.org
As a HIPAA covered entity, you must comply with the
HITECH Act, so in all likelihood you are already doing most
of this. All you have to do to achieve PCI Compliance is extend
your security protocols to include cardholder data.
30.
Issue 1 2011
CATALYST MAGAZINE
In the end, whether self-paced or industry directed,
common sense practices just make good business practices.
PCI Compliance can help you reduce your risk of security
breaches and the potential of fines.