Payment card industry (PCI) compliance is an area often overlooked by ASCs-and many other small businesses, for that matter. The PCI Data Security Standard is a set of regulations put forth by the credit card companies to offer a level of security to consumers who use credit cards for transactions in any business, including healthcare organizations.
How this typically plays out in an ASC is a patient presents their credit card to the front desk which is run through a merchant services system. The patient's co-pay or balance is put on the credit card and applied to their account.
If people think about compliance with credit card use, it is often related to the retail environment. For example, when consumers go to a Home Depot and use their credit card, they expect Home Depot's system has met the requirements to accept credit cards and therefore be PCI compliant, which is likely since that is a big part of their business.
Often misunderstood is that meeting PCI compliance standards is a responsibility of all businesses that accept credit card transactions. That can include in-person transactions with a physical card, via phone or online, which can apply to ASCs. For online payments, some ASCs have an Internet portal where patients click on a link, and it take them to a credit card processor through which they enter their credit card information.
The purpose of PCI compliance standards is to provide consumers with an understanding that when they offer their credit card to a business, that business is delivering a specific, achieved level of security. The broader intent is to help ensure credit card fraud does not run rampant.
If you follow the news, you are likely aware of the constant reports of major data breaches within and outside of healthcare. Those businesses were all likely PCI compliant and yet were still hacked into and had their information stolen. PCI compliance standards are not a guarantee against intrusion. Intrusion prevention and information theft cannot be guaranteed. Rather, PCI compliance standards establish a minimum threshold for how difficult it will be for a criminal to gain access and obtain that information.
PCI compliance also provides a level of guarantee to the merchant and consumer. By entering into an agreement with credit card companies to accept their cards and achieve PCI compliance, these companies will work with you as a partner to address the breach. Should you suffer a breach, they will help ensure the breach is mitigated, provide customers with resources and return monies that may have been taken as a result of the breach.
Failing to be PCI compliant increases your level of risk. Should you suffer a breach and are found to be non-PCI compliant, the credit card companies do not have an obligation to work with you. You will likely be on your own, responsible for taking care of notifications and may be responsible for refunding money illegally removed from a patient's account.
To continue reading, click here.