PCI and You: Navigating new privacy regulations
Understanding Payment Card Industry Data Security Standards. About a year ago, the credit card industry established guidelines and regulations — called Payment Card Industry Data Security Standards, or PCI — aimed at protecting consumers from credit fraud and identity theft by establishing standards for handling, sending and storing sensitive credit materials. Everyone who accepts credit cards as a form of payment must adhere to the guidelines or face penalties or fines. Without a force in place to verify compliance, fines aren’t likely, but should a case of theft or fraud occur to a non-compliant business owner, there could be serious repercussions. During the first year verification of compliance was extremely lax, but now the industry is ramping up a campaign to ensure that new standards are being met.
As a dentist, you likely accept credit cards as a form of payment, and therefore need to be careful to establish PCI compliance. To do so, you’ll be asked by your credit card processor to pay an annual fee and log onto a PCI-authorized web site of their choice. There, you’ll answer a series of questions to determine the level of compliance required, based on the way you process credit charges. The fee varies widely — between $25-$179 — but all these companies perform exactly the same function. WSDA’s endorsed provider, Best Card, not only saves you money on processing each month, but charges only $25 for PCI verification — the same amount they’re charged by the sites ascertaining compliance. If you’re overpaying for PCI, you may well be overpaying for all of your processing business and it might be a great time to give Best Card a call.
Once on the PCI-authorized site
If you use a terminal (the lowest level of compliance), you will fill out a questionnaire, write a paragraph that describes your practice’s methods of protecting credit card information in your office, and be asked to identify one staff member as the designated PCI security contact person. The better your office policies are, the fewer questions you’ll be required to answer. At minimum, your policy should reflect that (a) all patient records that show the patients credit card number are properly secured/locked and not available to others such as patients in the office, cleaning services, etc.; (b) credit card receipts and related records are properly shredded after your retention time policy (you may want to keep signed receipts at least six months in case you receive a chargeback and need to provide the signed copy); and (c) credit card processing batches are closed daily.
If you use an internet-based system, however, more stringent compliance is required. You will complete the same documentation as above but the questionnaire will be much longer and you will be required to have quarterly scans to verify that credit card data via internet/website is not compromisable.
As part of the new standard, most processors have already updated their software to truncate (show only the first four and last four digits of the credit card number) both the merchant copy and the customer copy of the receipt. Washington law only requires that the customer copy be truncated. You should have already received this software update. If not, contact your provider directly.
At Best Card, they’ve reported a spike in calls and faxes to their clients from outside vendors who claim that their equipment is not PCI compliant. The truth is no one can tell what equipment is in use, and regardless, nearly all credit card terminals are PCI compliant or can become so with a simple software patch provided by your processor. The only exceptions are pin pads, which can store a customer’s pin number. Most dental practices do not have a pin pad, but if you do, just call your merchant processor or Best Card to find out if it is compliant.
If you have additional questions about PCI, you may call your present processor or Best Card at 877-739-3952.