Every few months it seems like there are more revelations of large scale data breaches that expose the personal or financial information of millions of Americans. In 2017 there were breaches at Arby’s, Verifone, Dun & Bradstreet, Saks Fifth Avenue, Intercontinental Hotels Group, Chipotle, Kmart and Verizon that resulted in credit card numbers or personal information being obtained by malicious characters.
And according to graphs compiled by non-profit advocacy group Identity Theft Resource Center¹, the healthcare industry is one of the largest targets for data breaches.
By far the largest threats to data security are hacking, skimming, and phishing.
Hacking normally involves obtaining credentials to install malware that can monitor and extract sensitive information.
Skimming is the process of attaching a physical device in the card processing environment to duplicate and steal the data.
Phishing is the practice of sending fraudulent emails or phone calls, purportedly from a reputable company, to get individuals to reveal information such as passwords, personal information or credit card numbers.
What does “PCI Compliance” mean?
To address these issues, the credit card industry responded with a set of guidelines called Payment Card Industry (PCI) Compliance.
PCI compliance is a requirement for businesses that accept credit cards. The guidelines ensure that any business that accepts credit cards has implemented secure procedures to protect transmission of card information.
What are my responsibilities?
The actual requirements a business must meet are determined by the equipment and method of communication used in processing.
PCI compliance is usually handled by your credit card processor—even if it uses an industry-approved PCI subcontractor. However, it’s the merchant’s responsibility to make sure his or her business has completed all the required steps to achieve compliance. While some credit card processors are very proactive in helping dental offices attain compliance, many don’t view it as their responsibility.◊
You must complete a Self-Assessment Questionnaire (SAQ) annually.
As part of PCI compliance, every business must complete an annual Self-Assessment Questionnaire (SAQ) unique to the processing environment.
For example, a stand-alone credit card terminal that attaches over an analog phone line has a very simple SAQ that focuses on in-office procedures to protect credit card data. This is because the terminal encrypts all information at the point of entry, and then sends it over an analog phone line, which is much more difficult for hackers to actively monitor than IP connections.
If your office uses a credit card processing terminal that connects over the internet or through your computers, not only will you have a more demanding SAQ that asks about your network security, but you’ll also be required to perform quarterly external PCI-network scans to ensure your network is secure from tampering.
How can I help keep data secure?
Store credit card information properly.
If your office stores physical credit card numbers, be sure to keep them locked up when not in use, and shred the numbers once they’re no longer required for business or legal reasons.
Never store card numbers on a computer, unless they’re stored in an encrypted format (where you cannot see full credit card number) by a PCI-approved software/gateway/processor.
Make sure your router separates phone and internet activity.
If your office phones connect over IP (instead of analog phone lines), your router must separate phone activity from the rest of your office’s internet activity.
This should be common practice, but many internet service providers, such as AT&T and Comcast, have not updated the firmware on the routers they offer businesses for this purpose. You can receive a waiver for this vulnerability to achieve PCI compliance; but beginning Jan. 1, 2018 these routers will no longer be compliant without an update.
Change passwords.
Change passwords to systems when an employee leaves the practice. Former employees could log in remotely, and run fraudulent refunds to their own credit cards.
Also, be very careful when giving access to your passwords or allowing others to remotely log in to your office computers.
Beware of calls from “Microsoft” and “PCI.”
Dental offices have called Best Card after receiving a call from “Microsoft” and being told that “Microsoft” needed to log in to their computers immediately. This is a common scam used to compromise networks and install malicious programs.
Best Card also receives calls from practices because “PCI” called them, and demanded to see a copy of their PCI scan report. There are no “PCI police” that call by phone. Any legitimate PCI compliance steps would be handled in conjunction with your processor. Giving away this information would provide a roadmap for hacking your office network.
PCI compliance and data security are an ever-changing part of the business environment, but with reasonable preparations and updates, they should be very manageable.
More to Watch Out For
Beware of calls from unscrupulous processing companies.
There are many credit card processing companies that will call and say your equipment or network is not PCI-compliant. They may even say they need to do an “update” to your terminal, and give you something to sign. Unless this call is coming from your credit card processor, and the caller can provide your merchant number, this is an underhanded solicitation.
The caller will have no information on the integrity of your systems unless you give it to them. These companies try to scare offices into signing a new agreement that usually has expensive costs and punitive contract terms.
Your terminal may need an update for MasterCard compliance.
MasterCard has started issuing credit cards that begin with a 2 (previously all MC began with a 5). Some terminals need an update to accept these new cards.²
MasterCard wanted updates completed by June 30, 2017, and can assess non-compliance fees of $2,500 per occurrence in the first 30 days, $10,000 in the next 60 days, and up to $20,000 per occurrence for subsequent violations. However, MasterCard will send a warning before assessing fines. If you receive a sales call and are told you’re non-compliant and may get fined, there may some truth to this. You should check with your processor.
◊When Best Card reviews statements from dental offices to prepare cost comparisons, approximately 60% of dental offices are being charged monthly or quarterly PCI non-compliance fees. Best Card averages 90% PCI compliance for its dental offices, and charges approximately 25% of the annual cost other processors charge for PCI compliance.
¹”Identity Theft Resource Center.” ID Theft Center. N.p., 19 Jan. 2017. Web. 14 July 2017.
²Daitch, Heidi. “2017 Data Breaches – The Worst Breaches, So Far.” Identity Force. N.p, 11July 2017. Web. 14 July 2017