The Basics of PCI Compliance
Businesses today, regardless of size, should accept card-based payments. Besides the convenience it offers to customers, card-based payment is the most secure form of payment. Many card providers have adopted a unified regulation applicable to businesses that accept these payments. This regulation protects consumers and their personal and financial data. But how does it impact a typical small- or medium-sized business (SMB) or healthcare practice?
Understanding PCI
The members of the Payment Card Index (PCI) Security Standards Council established the PCI Digital Security Standard (PCI DSS) in 2006. The council sought to help the credit card industry self-regulate and manage consumer privacy standards for businesses to follow. Undoubtedly, you have a card issued from a council member—Visa, Mastercard, American Express, and Discover.
The council established standards for all businesses that accept payment cards from their customers. If you process or store payment information or digital payments, PCI DSS compliance is mandatory.
To remain compliant, any business accepting payment cards must:
1. Change passwords from system default
2. Install robust network security tools (viz., antivirus, firewalls, etc.) that protect card data
3. Encrypt transmission of card data across public networks
4. Restrict the transmission of card and cardholder data to a “need to know” basis
5. Assign a user ID to all users with server or database access
6. Make efforts to protect physical and digital access to card and cardholder data
7. Monitor and maintain system security
8. Test system security regularly
9. Create written policies and procedures to address the importance of securing cardholder data
10. Train staff on best practices of accepting payment cards
Any business—of any kind—that accepts credit card payments must follow all ten requirements. Many practices already comply with these demands when conducting business. But if your practice is not in lockstep with these standards yet accepts card-based payments, non-compliance could land you in deep trouble.
PCI DSS and the Size of Your Business
All businesses and healthcare practices are responsible, across the board, for complying with the above checklist. Based on the level of business you operate (according to the PCI Security Standards Council), your business must also address other needs. Per council definitions, your practice falls under one of four different levels:
- Merchant Level #1 – Processes over 6 million payment card transactions per year.
- Merchant Level #2 – Processes between 1 million-to-6 million payment card transactions per year.
- Merchant Level #3 – Processes between 20,000-to-1 million eCommerce payment card transactions per year.
- Merchant Level #4 – Processes less than 20,000 eCommerce payment transactions and fewer than one million overall payment card transactions per year.
Since a Level 1 breach would almost certainly impact a large number of consumers, the regulatory focus of the PCI Council tends to target large organizations. The council simply doesn’t have the resources to constantly check every business, regardless of size. However, this doesn’t mean that SMBs avoid facing severe risks. Below are some of the requirements healthcare practices must fulfill, based on Merchant Level.
Merchant Level #1
Considering the scale of these businesses and their reach with consumers, both online and in-store, these merchants are held to a much higher degree of responsibility. PCI DSS compliance for Merchant Level #1 requires them to:
- Complete a yearly Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
- Undergo a quarterly network scan by an Approved Security Vendor (ASV)
- Complete the Attestation of Compliance Form for PCI Council records
Merchant Level #2
Standards relax as the number of transactions decreases, so Merchant Level 2 dictates that these merchants:
- Perform a yearly Self-Assessment Questionnaire (SAQ)
- Allow an ASV to complete a quarterly network scan
- Complete the Attestation of Compliance Form for PCI Council records
Merchant Level #3
This classification applies to most medium-size businesses. Merchants must:
- Perform an SAQ
- Allow an ASV to complete a quarterly network scan
- Complete the Attestation of Compliance Form for PCI Council records
Merchant Level #4
This level applies to the vast majority of small businesses. Like the prior two merchant levels, this level requires that all merchants:
- Perform an SAQ
- Allow an ASV to complete a quarterly network scan
- Complete the Attestation of Compliance Form for PCI Council record
Noncompliant businesses are subject to review. Typically, they’re fined, kept under closer scrutiny, or even prohibited from accepting card payments.
Assuredly, you do not want your practice to fall afoul of compliance.