The “Data” Dozen
PCI Data Security Standards
Author: Christy Corey, President, TransFirst Health Services
Just when you think running your business cannot be any more complicated, we now all face a new challenge in the acceptance of credit cards. Security of cardholder data is a hot topic and one that is NOT going away. In today’s article, we’re going to give you the Data Security Standards set by Visa/MC for all merchants and hopefully a bit of insight and information to assist you in protecting your business from undue risk and liability associated with these compliance regulations.
First of all, let’s be clear-Visa and MC manages the entire credit card issuing and processing industry. They set the rules we all must abide by and for the most part, as we all carry credit cards as well as accept them, we can see that there is purpose and intent to make a system designed to serve us all. Recently, those rules have turned to protection of cardholder data relative to increasing cases around the country, in merchants of all shapes and sizes, where this data has been compromised. We can all read almost weekly now of another high profile establishment that has had data stolen from their system-truly representing a possible loss to each and every one of us! In response, the PCI Data Security Standards were established, and in fact today each and every merchant is REQUIRED to be compliant with these standards. Not all of the standards are in fact relevant to ALL merchants (depending upon how you accept cards, how you transmit the transactions, how you receive responses, how you store the receipts, etc) BUT to figure out which likely pertain to you it’s going to take your time to review the items and consult with an expert to ensure you’re covered.
Where this subject gets even more complex than figuring out which items in fact are relevant to your business or practice, is that fact that you’ll need to consult with a CERTIFIED vendor to get more information and answer specific questions. Visa/MC not only built the security standards, but then also set rules as to who in fact is suited to perform this consulting service with merchants; the companies that have done so are listed as certified and can be found on the Visa/MC web-sites. For the convenience of our merchants, TransFirst has contracted with one of the largest and most successful of these certified vendors, Security Metrics, at a special rate. For clients not yet using the TransFirst program available to the AADO Members, check with your existing processor for any similar service or contact TransFirst and we’ll be happy to provide information. (To contact TF Health, please call Rene’ Buzicky at 800-577-8573 x160 or e-mail: rbuzicky@transfirst.com)
At this point, most of our TF Health merchants fall into a Level 4 qualification (again, another item set by Visa/MC!) meaning that you must be compliant BUT that the extra VALIDATION step where you PROVE you’re compliant is not yet formalized. Right now, while we in our industry know it is coming, there is not a defined date where you must validate your compliance.
So, in summary:
All merchants today are required to be compliant with the Security Standards listed below. As you read through the items you’ll see they honestly make good business sense and are quite logical-they’ll be improving your business and protecting your patients/clients card data security and that’s important to all of us.
The threat of data compromise is not an idle one-it is happening today all around the world; the resulting lack of trust and credibility with cardholders coupled with fines being imposed by Visa/MC make this issue one that will not go way. We all need to adapt our processes and adopt the standards as part of our normal operations.
Today most of you are not required to VALIDATE your compliance-but it is coming. Best practice would be to begin reviewing this list, discussing with the preferred vendor we’ve provided for you or one of your choice, any areas of concern or asking questions as to which items pertain to you. The resulting feedback then should not be a source of alarm, but should begin a work order/project for you to begin managing into your daily process flow.
While TransFirst Health is committed to making every part of your merchant experience easy, don’t forget that while we can provide information, a certification from a registered PCI vendor will likely eventually be needed to meet the Visa/MC standards. We can certainly provide information for you as to what equipment you are using, our own knowledge as to if that equipment is compliant, etc. and we will at any time JOIN you in discussions with any certified vendor to assist in your own comfort level.
PCI Data Security Standards
1-Install and maintain a firewall configuration to protect cardholder data.
2-Do not use vendor-supplied defaults for system passwords and other security parameters.
3-Protect stored cardholder data
4-Encrypt transmission of cardholder data across open, public networks
5-Use and regularly update anti-virus software
6-Develop and maintain secure systems and applications
7-Restict access to cardholder data by business need-to-know
8-Assign a unique ID to each person with computer access
9-Restrict physical access to cardholder data
10-Track and monitor all access to network resources and cardholder data
11-Regularly test security systems and processes
12-Maintain a policy that addresses information security. |
