As consumer-directed health care and health plan deductibles are on the rise, patient payments have increased. Today, patients are paying for their healthcare with a variety of cards such as debit, credit, health savings accounts, and flexible spending accounts. Because of increased use of debit and credit card payments, healthcare providers and organizations must ensure payment card compliance.
Historically, those in the healthcare industry did not usually receive payments through payment cards. Now they have a lot to learn about complying with payment security standards and avoiding data breaches. Achieving compliance best practices starts with understanding the Payment Card Industry (PCI) Data Security Standard.
PCI Data Security Standard (PCI-DSS)
The Payment Card Industry Security Standards Council mandates the PCI-DSS. The Council comprises branded credit cards from the major card issuers. The PCI-DSS consists of twelve requirements for compliance organized into six groups called "control objectives." The control objectives increase controls around cardholder data to reduce or mitigate fraud and security breaches.
Organizations wishing to accept payment via payment cards must have their compliance validated annually by external assessments.
Why PCI-DSS compliance is important
In the healthcare industry, just as compliance with HIPAA controls securing protected health information (PHI), compliance with PCI-DSS will help you reduce the risk of a data breach with payment cards.
According to Verizon's PCI-DSS Compliance Report, over a ten-year period, none of the companies they investigated had maintained compliance at the time they were breached. Some had been compliant at one point but had let it slide. A full 80 percent of the companies investigated for the report failed an interim assessment.
Here's what others faced during PCI-DSS data breaches:
- Home Depot. Home Depot had a malware breach that affected 56 million payment cards. Besides customer outrage, Home Depot ended up paying a $19.5 million data breach settlement.
- U.S. Office of Personnel Management. Hackers stole personnel files of 4.2 million current and former government employees. They also stole millions of security clearance background investigation information.
- TJX Companies. TJX didn't comply with 9 out of the 12 PCI-DSS requirements, which resulted in over 45 million payment and numbers stolen.
Here's what you could face if a breach happened in your payment process:
The second most common type of data breach according to Breach Level Index is financial access. A full 18.4% or 330 of all 1,792 breaches in 2016 was to gain financial access to 738 million payment records. For each lost or stolen record in 2016, companies paid an average $221 per record.
In the U.S., when you add up the total bill for your liability during and after a data breach, you're looking at $7,010,000 per event. Add to that the potential loss of clients, bad publicity for your payment service, or even cancellation of your merchant account, and data breaches are very costly.
What you should do to implement and sustain PCI compliance
PCI compliance starts with a solid merchant agreement. Your agreement should detail how you accept payment cards in compliance with PCI-DSS. Here are the most important components of PCI-DSS requirements for your payment service:
- Do not process payments through your bank account before disbursing them. PCI does not permit a company to take patient payments, deposit them in your bank account, and then disburse them to your clients.
- Do not copy or store payment card data, as the risks of storing payment card data are highly serious.
- Maintain strong IT security measures. Use of strong access control measures, regularly monitoring your network, and complying with information security policies is a must.
- Encrypt data end to end. Encrypted data, if lost or stolen, is not accessible to others if a breach occurs.
- Conduct continuous training. To make sure employees understand how to prevent unintentional breaches, provide regular training on proper security policies.
Payment card breaches are a serious threat that you can and should manage. As patients increasingly utilize credit and debit cards to pay for their healthcare payments, it is crucial you stay on top of PCI compliance. Ensuring your payment processing solutions are PCI compliant will help you mitigate the risk of a breach and keep your patients' data safe and secure, just as you protect their PHI.
To learn how BillingTree can help you provide payment services that are PCI, SSAE-16 and HIPAA compliant, contact us to request a demo today.