Payment Card Industry Data Security Standard, that's basically required for all merchants no matter whether you’re, you know, a big operation or just have a card swipe machine. But everybody has to have - and this applies to paper and electronic information. You have to have a secured network that can protect cardholder’s data. And these are all the kind of things that are all the same kinds of things that we're just talking about HIPAA regulations. But there are a lot more details with the PCI.
One of the first questions was what kind of merchant are you? Are you a level one merchant with lots of transactions in which case you have lots of requirements for being in compliance or you’re just a small operator level four? The important thing is that if you get into trouble, if you have a HIPAA breach they can decide to call you a level one merchant even if you don't do very many transactions. And so, that you are subjected to more stringent requirements for compliance. So, you want to make sure that you do a good job and not get into trouble with the PCI guys because they can make life really difficult for you.
They have a self-assessment questionnaire that's available for PCI on the PCI website. It comes four different ways depending on how you use credit card information whether you just have a card swipe machine and whether it goes into your systems or not or whether you have a third party handling or not, there’s a whole way, number of ways that you can handle credit card information. But they have four different kinds of self-assessment questionnaires.
It's important to go through this in case you have faced a HIPAA breach or anticipating to. But if you haven't been through this by yourself before make sure you have somebody who knows what this means go through it with you because you may think you're doing well only to discover that in actuality you haven't done a very good job. Make sure you have some help the first time you go to the self-assessment questionnaire. But it's important to go through this. This can help you discover some of your problems.
Everybody who has PCI credit card or payment cards has to go through security scanning procedures. That's required quarterly for all merchants. Talk to your guys in the IS Department and find out whether they've been doing that or not. There's also information about this on the PCI Security Standard site about how you can find some of their approve vendors for doing this. But they have a whole bunch of things that they look out from the outside basically just looking from the outside to make sure the most obvious stuff is taken cared off to make sure they can't just get and walk all over your systems. It's an important thing to be able to do.
And then if you have third-party assessment using the PCI security audit procedure, that's the thing that's basically requires the level one merchants and there's a - what they have is a report on compliance (inaudible) used where they have lots of questions about lots of details. And it goes on for pages and pages and pages.
Again this is a sort of thing that can be useful for your download and go through but for it to be officially, you have to use one of their official assessors. But you can go through it yourself and try and get an idea of how are you doing. Again, if you haven't done this kind of thing before you may want to have a security professional help you with this the first time so you can really understand what all these things mean because sometimes people think you're doing great when they're actually not.
So the penalties for HIPAA breaches of cardholder information security are obviously you can whine with the PR disaster I mean healthcare is a trust business. If it whines up in the paper that you've been playing fast and loose with your patient's information people aren't going to want to come to you. They want to go someplace else where they're going to feel more secure.
But basically, if there's a breach of cardholder information you probably have some state disclosure laws that you have to report under. Some fines and things like that. One of the important things is you’re protected from fines if you're in compliance with the regulations. So, if you can show that you've just had a review and you're in compliance even if a breach occurs you aren’t going to be hit with fines by the PCI people if you just show that you're in HIPAA compliance even if you end up with major breach of some kind. If you've done what you can, that's really what they're looking for.
The 12 Requirements are listed. That’s, you know, based on the same kind of things that are in HIPAA regulations that you have firewalls and encrypt data on public networks, and no credit numbers in emails or anything like that. But one of the important things is a kind of flexibility rule for PCI that gives you the opportunity to do things that accomplish the same thing that may not be specifically count for.
But the idea is you want to limit where you have your payment card information because wherever you have payment card information you have to be exposed to PCI requirements which are stricter in many ways in HIPAA regulations and requirements.
So the more you can do it to make credit card information out of your systems all together to outsource that or have that be handled by outside hosted websites and, you know, have rules about not keeping any credit card information at all. Or if you do keep just keep it on a piece of paper in a lock filing cabinet, the better off you're going to be because once it touches your system, those systems becomes subject to the credit card rules.
Know more about HIPAA security standards; visit our HIPAA online training page.