PCI Compliance

We get questions fairly regularly about PCI compliance and what it means for the practice. In this article we will give a brief overview of what it means for the practice.

What is PCI Compliance?

PCI compliance, or payment card industry compliance, refers to a set of 12 security standards that businesses must use when accepting credit card payments and transmitting, processing and storing the related data. It involves requirements such as encryption of cardholder data, managing firewalls, updating antivirus software and assigning unique IDs to each person with computer access. As you can see many of these requirements overlap and are similar to security and privacy requirements of HIPAA.

Who enforces PCI Compliance?

There is not a government entity that enforces PCI compliance but there is an organization, the PCI Security Standards Council, that manages security standards and looks for ways to improve security, but even the PCI Security Standards Council doesn’t enforce compliance. Instead, the merchant service provider mandates the steps a business must take to be PCI compliant through the terms of the contract or agreement.

What are the Requirements?

Merchant service providers (credit card companies) have broad latitude in implementing these requirements and details about implementation as well as requirements imposed can vary from merchant service provider to merchant service provider. The compliance requirements are broken down into 12 general areas:

1. 1. Install and maintain a firewall.
   2. Change vendor-supplied default passwords and security settings.
   3. Protect stored cardholder data.
   4. Encrypt cardholder data when transmitting it across open, public networks.
   5. Use and regularly update antivirus software.
   6. Develop security systems and processes.
   7. Restrict access to cardholder data to a need-to-know basis.
   8. Assign user IDs to everybody with computer access.
   9. Restrict physical access to cardholder data.
   10. Track and monitor who accesses networks and cardholder data.
   11. Regularly test systems and processes.
   12. Have a policy on information security.

Compliance requirements also tend to vary by business size and by the number of card transactions each year. Based on the business size and number of transactions, a business falls into one of four category levels. For example, the following are the compliance levels for Visa:

1. 1. Level 1 merchants are those that process more than 6 million Visa transactions per year across all channels, or are global merchants identified as Level 1.
   2. Level 2 merchants are those that process between 1 million and 6 million Visa transactions per year across all channels.
   3. Level 3 merchants are those that process 20,000 to 1 million e-commerce Visa transactions per year.
   4. Level 4 merchants are those that process fewer than 20,000 e-commerce Visa transactions, or those processing up to 1 million total annual Visa transactions.

Meeting the Requirements

Every merchant must meet the requirements set forth by its merchant account provider. Meeting the requirements means your practice is in compliance. If you aren’t in compliance, you could face hefty fees or even lose your merchant account. It should be noted that some payment service providers, such as Square or Stripe, replace the need for a business to have its own merchant account and often take on some compliance responsibilities for the merchant.

Some payment processors charge PCI compliance fees. In return, you might receive compliance-related services, like access to consultants who help you complete requirements.

Cost

• PaySimple, for example, charges a $5.95 monthly fee for access to a “PCI tool” and a $59.95 monthly fee if you are not in compliance.
• Dharma Merchant Services doesn’t have a PCI compliance charge, but there is a $39.95 monthly fee for noncompliance.
• Adyen, Payline, Square and Stripe don’t have specific charges for PCI compliance.

Even if your payment partner doesn’t charge you a fee, becoming PCI compliant usually costs something. Level 4 merchants (which would include most optometrists) can expect to pay from $300 to $1,000 or more annually to hire an approved scanning vendor to test their network, complete the questionnaire and help address any issues.

While this can be a confusing topic, your merchant company can usually help you through this, or you can use one of the suggested services above. As always PCS will be happy to help in any way that we can.