April 12, 2017

PCI DSS Compliance: The Other Privacy Rules

In previous posts, we covered the ins and outs of HIPAA and its four general rules: Privacy, Security, Breach Notification and Enforcement.  In this post, we discuss the Payment Card Industry Data Security Standard (“PCI DSS”), an often overlooked privacy standard that, while overlapping somewhat with HIPAA, is a completely separate set of standards that govern security over your patient’s credit cards.

Origin and Nature of PCI DSS

Unlike HIPAA, which is a federal statute designed to safeguard an individual’s protected health information, PCI DSS is a private set of standards established by the major credit card issuers to safeguard an individual’s credit card information.  The standards were set up by MasterCard, Visa, American Express, Discover and JCB to establish procedures for handling credit card numbers in order to minimize credit card fraud.  The first standards (Version 1.0) were released in December 2004, and they have been updated several times since.  The most recent revisions (Version 3.2) were released in April 2016.[1]

If you accept credit card payments from patients, you are likely contractually obligated to comply with the PCI DSS standards.  Since the PCI DSS are contractual, rather than regulatory or statutory, a violation will not result in any criminal prosecution.  However, the consequences of violating the standards can be significant, and can include monetary fines, contractual liability and revocation of your ability to accept credit card payments.

Additionally, some states, such as Nevada, have enacted laws incorporating some or all of the provisions of the PCI DSS into their statutes.  This means that a violation of the PCI DSS standards may, in some circumstances, also constitute a violation of state law.[2]  To date, Arizona has not enacted legislation specifically incorporating the PCI DSS.  However, A.R.S. § 44-7601 does prohibit businesses from disposing of their customers’ financial information, including credit and debit card numbers, without first redacting or destroying the records.

Compliance With PCI DSS

The entire PCI DSS standards contain dozens of technical specifications.  However, there are six main components to the standards, which are discussed broadly below.

Build and Maintain a Secure Network

The first set of requirements focuses on building and maintaining electronic safeguards, such as firewalls, to protect cardholder data.  These should be designed to protect the internal office computer system from external threats from hackers.  In addition, PCI DSS standards require network diagrams identifying all connections between the “cardholder data environment” and any other networks, including wireless networks, and to have firewalls at every access point.  Basically, the idea is to shield cardholder data as much as possible from any potential threats.  Additionally, these requirements are aimed at ensuring that the manner in which the information is accessed is secure and that appropriate administrative guidelines are followed to ensure that access to the system is limited.

Protect Cardholder Data

The requirements also discuss the levels of encryption to be implemented in order to protect cardholder data.  The principle behind this is that, if the data is appropriately encrypted, then even if there is a breach, the data will be worthless without the proper cryptographic keys.  Another key component to protecting cardholder data under this requirement is to implement data retention and disposal policies, so that only a minimum amount of data is retained.

The requirements also outline the manner in which cardholder data is transmitted across open networks.  For example, when information is electronically transmitted to the credit card company to verify available credit and to process payment, strong cryptography must be employed to prevent malicious interception of the data.  However, this is not limited to transmissions over the internet to the credit card company, and it includes internal wireless networks and Bluetooth enabled devices.

Maintain Vulnerability Management Programs

This section focuses on mitigating the risk posed by malware by requiring anti-virus software.  This includes servers as well as personal computers, and all programs should be updated on a regular basis to ensure maximum protection.  Additionally, organizations are required to keep up to date with new vulnerabilities and take appropriate measures to mitigate the risk posed by these vulnerabilities.  For example, if a software vendor identifies a potential vulnerability and offers a patch to fix it, a company should install the patch as soon as possible.

Implement Strong Access Control Measures

The requirements under this section include that businesses should implement “need to know” access to cardholder data.  Essentially, the idea is that the more people who have access to cardholder data internally, within a business, the more likely it is that someone will misuse the credit card data and the more difficult it will be to trace the source of the breach.

In a similar vein, this section also requires that businesses assign unique identifiers to every person with access to the credit card system.  This allows employers to track access in the event of a breach, and can help determine the source of an internal breach.  However, some of the requirements within this section do not apply to transactions where only a single card is processed at any one time.

Additionally, physical access to cardholder data should be limited.  Therefore, any tangible records and electronic equipment used to store cardholder data should be secured within a business.  Further security measures such as alarm systems and surveillance cameras should also be employed.

Regularly Monitor and Test Networks

The requirements in this section are aimed at testing the security of your system through periodic audits and logging procedures to identify potential weak points in your security network and to ensure that you are able to identify breaches when they occur and to identify the source of the breach.

Maintain an Information Security Policy

This section focuses on training your employees about the sensitivity of cardholder data, as well as their individual responsibilities for maintaining its integrity.

Compliance Audits And Potential Liability

Your merchant agreements with the credit card companies likely require that you make your security procedures and records available for audit.  Fortunately, most health care providers will not need to undergo compliance audits.  Although subject to change, most credit card companies only require annual compliance audits for large companies that process millions of credit card transactions per year, or for companies that have previously suffered a breach resulting in account data compromise.

However, for smaller businesses, compliance with the standards is still important.  Generally, all businesses that accept credit cards must complete an annual self-assessment questionnaire.  Failure to answer it honestly may mean that, in the event your patients’ financial data is compromised, you could be responsible for any chargebacks.  You could also have your ability to accept credit cards suspended or revoked, in addition to potential fines from the credit card companies.

Also, regardless of whether you are penalized by the credit card issuers or not, you possibly can be liable to your patients if their financial data is stolen as a result of your or your staff’s negligence.  The PCI DSS standards do not necessarily create a standard of care for purposes of establishing negligence.  However, if you are in compliance with the standards, it can go a long way toward minimizing or eliminating potential liability.

Finally, complying with the PCI DSS standards are good business.  The standards are in place for a reason: to protect your patient’s financial information.  If a patient’s financial security is compromised because you failed to safeguard it, the potential for liability exposure and negative publicity can be significant.  If you have any questions about PCI DSS compliance, contact a healthcare attorney for guidance.

[1] PCI DSS 3.2 is available at https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

[2] See Nevada Revised Statute §603A.215 (http://www.leg.state.nv.us/Division/Legal/LawLibrary/NRS/NRS-603A.html).