PCI in ASCs
Payment card industry (PCI) compliance is an area often overlooked by ASCs-and many other small businesses, for that matter. The PCI Data Security Standard is a set of regulations put forth by the credit card companies. These regulations offer a level of security to consumers who use credit cards for business transactions, including healthcare organizations.
Typically, in an ASC, a patient presents their credit card, which is run through a merchant services system. The patient’s co-pay or balance is put on the credit card and applied to their account.
If people think about compliance with credit card use, it is often related to the retail environment. For example, when consumers visit a Home Depot and use their credit card, they expect Home Depot’s system has met the requirements to accept credit cards. Therefore they assume the business is PCI compliant, which is likely since credit cards are a primary source of payment.
Often misunderstood is that meeting PCI compliance standards is a responsibility of all businesses that accept credit card transactions. That can include in-person transactions with a physical card, via phone or online, which can apply to ASCs. For online payments, some ASCs have an Internet portal. This is where patients click on a link that takes them to a credit card processor through which they enter their credit card information.
The purpose of PCI compliance standards is to provide consumers with an understanding that when they offer their credit card to a business, that business is delivering a specific, achieved level of security. The broader intent is to help ensure credit card fraud does not run rampant.
If you follow the news, you are likely aware of the constant reports of major data breaches within and outside of healthcare. Those businesses were all likely PCI compliant and yet were still hacked into and had their information stolen. PCI compliance standards are not a guarantee against intrusion. Intrusion prevention and information theft cannot be guaranteed. Rather, PCI compliance standards establish a minimum threshold for how difficult it will be for a criminal to gain access and obtain that information.
PCI compliance also provides a level of guarantee to the merchant and consumer. By entering into an agreement with credit card companies to accept their cards and achieve PCI compliance, these companies will work with you as a partner to address the breach. Should you suffer a breach, they will help ensure the breach is mitigated. It will also provide customers with resources and return monies that may have been taken as a result of the breach.
Failure to Comply
Failing to be PCI compliant increases your level of risk. Should you suffer a breach and are found to be non-PCI compliant, the credit card companies do not have an obligation to work with you. You will likely be on your own. This means you are responsible for taking care of notifications. You may also be responsible for refunding money illegally removed from a patient’s account.
The reason? Without PCI compliance, you are essentially in breach of your agreement with the payment card companies. They are not likely to provide their assistance and support during times when that assistance and support is most needed. Understand that by signing up as a business which accepts credit cards, you are entering an agreement with a credit card provider. In that agreement the credit card provider requires you to be PCI compliant. Note: If you accept credit cards and want to purchase cyber-liability insurance, the cyber-liability insurance company will likely ask you to attest to being PCI compliant. If you state you are not PCI compliant, you will not qualify for cyber-liability insurance. Alternatively, you will end up paying much more for the insurance than is necessary.
Confronting the Challenges
Why is PCI compliance a challenge for some ASCs? Managers may not consider their center is a point of contact for a credit card transaction. Therefore they are required to achieve and maintain PCI compliance for as long as they accept credit card payments. Since ASCs are not thought of as a retail organization, managers may feel their center is not required to be PCI compliant. Some managers may lack awareness of PCI compliance because they do not oversee a payment-focused business like a retail organization.
Understanding PCI compliance is just one small step toward meeting requirements. Unfortunately, once managers start moving down the path toward PCI compliance, they usually find it difficult to navigate. Like most rules and regulations, PCI compliance is complicated in terms of technology requirements and the financial aspect. This can include items such as the number of transactions performed by a business and how the business handles credit card information.
Some of the initial questionnaires for the PCI compliance system are 80 pages. That’s 80 pages just to start the process of PCI compliance. That’s 80 pages of very specific questions, with a large majority of them being technical or IT related.
Why is the questionnaire so long? The PCI Security Standards Council puts companies into categories based on the type of system they use to process credits cards rather than the type of business. This means that while you may only conduct 500 credit card transactions a year, you are answering the same questionnaire as a company that does 500,000 transactions. Administrators running an ASC— particularly a busy center—will likely not have the time, knowledge and/or resources available to answer most of those questions. Administrators hit roadblock after roadblock and not see a pathway to move forward. Therefore, the PCI compliance project may get put on the shelf in favor of other achievable projects. In some cases, ASCs never get back to PCI compliance.
Path to Success
The good news is there is likely a way to move forward, often unknown to most facilities. You are probably already paying for a service that can help you obtain PCI compliance. However, you may not even know it. Many merchant services companies, as part of their offerings, include a service that provides a resource which can help. In some cases, they go as far as work with and guide a business through the PCI compliance process. It’s not usually a service openly advertised when a business signs a merchant services agreement. The merchant services company used by our centers grants access to an online portal that provides guides and instructions on how to fill out the PCI compliance questionnaire. Questions are asked of center administration, with answers moving them through other questions in a much easier to understand format.
This process essentially breaks down the 80-page questionnaire to about 20 questions. With those answers, the merchant service company provides the center with a roadmap on how to achieve compliance. This includes steps to take, attestations to make and what (and where) the center needs to submit in order to receive the PCI compliance certificate. In this case, the certificate is also supplied by the merchant services company. If a center chose not to work with a merchant services company on PCI compliance, administration would likely visit the PCI compliance website (www.pcisecuritystandards.org).
There they would find a helpful set of pages addressing the importance of PCI compliance and how to move through the compliance path. Unfortunately, following those steps would take them to the longer questionnaire. The reason for the broad chasm between what you see on the PCI compliance website and the experience of working with a merchant services company is primarily related to audience. A merchant services company, which should understand your business, is able to direct you to focus on those areas that apply to your business. The PCI Security Standards Council created a tiered system. Therefore, a small business like an ASC does not have the same burden of compliance as a large clearinghouse conducting millions of transactions a day.
Merchant services companies are required to perform a lot of heavy lifting concerning their own PCI compliance. Their PCI compliance burden is much greater than that of an ASC using a portal through a merchant services company to process transactions. Remember, the intent of PCI compliance is to ensure credit card fraud does not run rampant. PCI compliance provides a level of guarantee to the merchant and consumer. Therefore, failing to be PCI compliant increases your level of risk. Understanding PCI compliance is just one small step toward meeting requirements; however, there are ways to move forward.
About the Author
Gene Goroschko is Senior Vice President of Information Systems. He is responsible for designing and deploying the information systems in use at PE GI Solutions and PE affiliated centers. He has been an active participant in the rapidly changing world of computers and information systems. This has been from their formative years right up to today’s current cutting-edge technology. Gene has been the architect of network and information systems all across the country. He has designed, installed and maintained systems for clients as varied as the United States Military to the United Way.