Healthcare organizations must be aware of vulnerabilities when accepting electronic payments and be proactive about protecting against them. Whether it is an individual employee who steals a patient’s payment card information or a large-scale cyber-attack, compromised data is costly. According to Ponemon Institute’s 2013 Global Cost of a Data Breach, Healthcare experiences the most costly data breaches at $233 per lost record; pharmaceuticals rank third at $207. Couple that with damage to brand and reputation and it is easy to see how difficult it can be to recover from a breach.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all organizations that process, store, or transmit credit card information maintain a secure environment. They focus on improving payment account security throughout the transaction process.
Some may think that because an organization is meeting HIPAA requirements they are also complying with PCI DSS; however, this is not the case. HIPAA mandates the protection and security of protected health information (PHI) while PCI DSS entails the protection and security of cardholder data.
As healthcare organizations work to comply with PCI DSS requirements, here are three important ways they can reduce PCI DSS scope and protect payments.
1. Encrypt Card Data at the Point of Entry
Organizations can reduce PCI DSS scope with point-to-point encryption (P2PE) utilizing encrypted card swipe/key entry devices. These devices encrypt sensitive credit card data when it is entered or swiped, which is then securely routed through TrustCommerce systems to securely process the transaction. Organizations can also integrate encrypted devices into self-service kiosks where patients manage accounts and pay co-pays and balances.
For call center environments, healthcare organizations can utilize encrypted keypad devices. In this scenario, the credit card numbers are encrypted right at the point of entry; from the device to the user’s workstation, and are never in the clear. To further reduce PCI DSS scope, organizations can restrict TC Vault to only accept transactions initiated from the keypad, not a user’s unencrypted keyboard.
TrustCommerce supports full point-to-point encryption with leading EHR systems, such as Epic, GE Centricity, and others.
2. Secure Online Payments
When accepting online payments, organizations can leverage transparent data redirection to reduce PCI scope. TC Trustee API is an Embedded API with direct post functionality, often referred to as transparent redirect. It can be utilized to accept patient web payments made through EHR software, such as Epic MyChart. With TC Trustee API, a patient’s credit card information is sent directly to TrustCommerce and never passes through the healthcare organization’s web server, reducing PCI DSS scope on that server.
3. Utilize Tokenization
Tokenization replaces sensitive PAN (Primary Account Number) data with a unique identifier known as a token, which is useless to anyone who may intercept it. TrustCommerce’s tokens are unique and have no relationship to the actual PAN data so cannot be decoded or reverse-engineered to arrive at the original PAN data. Tokenization allows the cardholder data to be stored in TrustCommerce’s environment and not the healthcare organization’s.
Used in combination with encryption and data redirect, tokenization offers a powerful method for reducing PCI scope and protecting cardholder data while allowing the organization, directly or through its patient portal, to reference the stored information for future, recurring or installment transactions.
Healthcare organizations can use tokenization within EHR integrations, such as Epic 2012 MyChart and Welcome among many others, dependent on the client’s overall system design. Check with your software provider to see if they may already have an integration to TrustCommerce.
Protects Payments and Brands
For all methods of electronic payment, whether in-person, online, mobile, or via self-service kiosks, there are effective technology solutions for reducing PCI DSS scope. Keep credit card data off your web servers and systems, encrypt data from the point of entry through transmission and tokenize stored card holder data. By reducing scope, you can ease the cost and resources it takes to remain PCI DSS compliant.
 Source: Symantec 2013 Cost of Data Breach
 Epic, Resolute, Welcome, and MyChart are registered trademarks of Epic Systems Corporation.