PCI Compliance

Several years ago, the major credit card issuers looked for ways to better protect credit card information and cardholder data. They eventually developed a set of standards designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. The standards became known as PCI DSS (Payment Card Industry - Data Security Standard).

The standards require the following from companies handling credit card transactions:

Requirement 1:
Install and maintain a firewall configuration to protect cardholder data.

Requirement 2:
Do not use vendor-supplied defaults for system passwords and other security parameters.

Requirement 3:
Protect stored cardholder data.

Requirement 4:
Encrypt transmission of cardholder data across open, public networks.

Requirement 5:
Use and regularly update anti-virus software.

Requirement 6:
Develop and maintain secure systems and applications.

Requirement 7:
Restrict access to cardholder data by business need-to-know.

Requirement 8:
Assign a unique ID to each person with computer access.

Requirement 9:
Restrict physical access to cardholder data.

Requirement 10:
Track and monitor all access to network resources and cardholder data.

Requirement 11:
Regularly test security systems and processes.

Requirement 12:
Maintain a policy that addresses information security.

Though these are not government regulations, they are requirements of the credit card industry. All merchants (including dental offices) that process credit card payments must comply or risk having their account suspended. In addition, your processor requires that you use an independent company to verify that you’ve complied with the standards (“trust but verify”).

Most credit card processors have been contacting their merchant clients (dental offices) and informing them of this requirement to institute these standards and undergo a compliance check. You are free to choose your own compliance company, also known as a Qualified Security Assessor, but most offices use the firm recommended by the processing company. There is an annual fee for this service which can be $200 or more.

The “compliance” itself for dental offices is usually just an online questionnaire that the office completes. For some merchants and those processing more than 20,000 credit card charges a year, the compliance may also require quarterly scans of the merchant's computer networks as well as other measures.

If you do not comply with the new standards or submit to the compliance check, your processor has the option of discontinuing your account. If they do not discontinue your account, they will likely charge you a monthly fee for the risk you present due to deficient data security. If your office has a security breach related to a patient transaction, your practice could be liable for penalties up to $100,000.

For Elavon Clients
Dentists that process their credit card transactions with the NYSDA-endorsed Elavon program can verify their PCI compliance using the recommended Trustkeeper software. This can be found at https://elavonpci.trustkeeper.net/getstarted/ or you can call Elavon at (800) 377-3962. Elavon has also established an educational website that provides access to the Trustwave service. You can visit the site at http://pci.elavon.com. The cost to use Elavon’s program is $79 a year and it includes data breach protection up to $100,000.

For CareCredit Clients:
CareCredit transactions are not affected by PCI standards and no compliance is necessary. If, however, you use a CareCredit terminal to process bank card transactions (VISA, Mastercard, AMEX, etc.), you must comply with the standards. Again, anyone who processes, stores, or transmits credit card data must comply with these standards. If you have any questions, you can contact CareCredit’s PCI Compliance Department at (877) 371-9683.