What Practitioners Need to Know About PCI-DSS

SimpleClinic: Practice Management for Naturopaths What Practitioners Need to Know About PCI-DSS

In this post I will explain a little about PCI-DSS and the requirements and obligations of Naturopathic practitioners under PCI-DSS.

PCI-DSS is an acronym for the Payment Card Industry Data Security Standard.  The standard originated as a joint initiative between major payment card vendors including American Express, MasterCard and Visa.  You can learn more about the history and background of the Payment Card Industry Security Standards Council from their website here: http://www.pcisecuritystandards.org/

The standard specifies a series of recommendations about information security for all levels of the supply chain.  Everyone, from the receptionist who takes payment details on the phone, through to the payment platform and bank has a responsibility to the client to ensure the security of the client’s payment card information.

Your obligations under the standard will vary depending on how you use your patient’s payment information.  The best way to understand your requirements is through a self assessment questionnaire available from (here).  Find the section that best describes you in the column ‘HOW DO YOU ACCEPT PAYMENT CARDS?’ And download and complete the relevant questionnaire.

As a merchant your obligations include things such as:

  • ensuring you have up to date anti virus software and scan regularly.
  • ensuring you have anti malware software installed.
  • ensuring you have a firewall installed and configured.
  • ensuring you have a documented password policy and regularly change your passwords.

If you are utilising other services and payment providers they may also require a completed self assessment questionnaire from you in their terms of service.  Both EziDebit and Stripe have this requirement in an effort to help ensure end to end security of the payment process to cardholders, your patients!

As more Naturopaths and Nutritionists increasingly accept payments through channels other than a traditional, bank supplied, eftpos terminal; the likelihood that you have at least some obligation under PCI-DSS increases.  Activities that are likely to indicate you have an obligation under PCI-DSS include:

  • running an online shop that takes online payment for products or services on your website, including downloadable products and ebooks.
  • taking over the phone payments for goods or services.
  • taking online payments for consultations.
  • running membership programs or group programs with a recurring charge to a patient payment card that you have on file.

Your obligations under PCI-DSS are not avoided by outsourcing the collection and payment to external services.  Your own security can, and often does, still lead to exposure of client payment information.  The merchant themselves has often been identified as the weakest link in the security of the payment card process.  For example: malware present on your computer can steal patient credit card details while you are entering them into SimpleClinic.  In this scenario while all other elements of the payment chain were PCI-DSS compliant, out of date or non existent software on your personal computer led to the theft of payment details.

When talking with practitioners about PCI-DSS compliance I have noticed that some practitioners feel compliance to be an unnecessary hassle, or something to be avoided.  While completing the PCI-DSS self assessment questionnaire can be time consuming, it is an important task for ensuring the security of your patient’s credit card details.

In addition, many of the elements covered in the self assessment questionnaire are equally applicable for any practitioner device (desktop, phone or tablet) that is accessing health information. On a day to day basis you will be handling patient records, test results, and files, that many of your patients would feel are more valuable than their credit card details.  

In summary, the PCI-DSS self assessment questionnaire is used in the payment card industry for ensuring security of credit card details.  By completing a PCI-DSS self assessment questionnaire not only will a practitioner identify issues in the way they store and handle payment information, they will also identify issues in the way they store and handle patient health information.  Ensuring that you meet the requirements of PCI-DSS will improve security of both your patients financial and health records.