November 20, 2009
Accept Credit Cards? Make Sure you are PCI Compliant to Avoid Potential Fines
PCI stands for Payment Card Industry Data Security Standards (www.pcisecuritystandards.org). For the most part, PCI focuses on protecting credit card numbers, and compliance with these regulations are required of every merchant that accepts credit cards as a form of payment. The main impetus of the compliance regulations is to deter identity theft. Keep in mind that dental staff members are often privy to patient’s date of birth, social security number and credit card numbers. In the wrong hands, this information makes your patients easy targets.
If you have not been contacted by your credit card processor yet, you probably will be before January 2010. Most processors are charging an annual fee of $25-$179 to administer PCI compliance. In order to meet PCI security requirements, you will most likely be asked to log on to an authorized PCI Website and answer questions. You will be asked some questions to determine the level of compliance required, based on whether you use a terminal (lowest level of compliance required) or online/Website-based system (higher level of compliance required). Most dental offices that use a credit card terminal will only need to complete the questionnaire, write a short policy about how you protect credit card information in your office and assign a designated PCI security contact person. If you use an online system for processing payments, you will need to complete the same documentation as above but the questionnaire will be much longer and you should begin receiving quarterly scans to verify that credit card data via the internet/Website cannot be compromised.
Your written policy, at a minimum, should reflect:
- All patient records containing credit card numbers are properly secured. They should be unavailable to others, such as non-essential staff, other patients and your cleaning service.
- Credit card receipts and related records are properly shredded after your retention period expires. You may want to keep signed receipts at least six months, in case you receive a chargeback and need to provide a signed copy.
- Credit card processing batches are closed daily. Most processors have updated their software to truncate both the merchant and customer copies of a receipt (showing only a portion of the credit card number for security purposes). This may require a software download. Truncating both copies of a receipt is now mandatory Colorado pursuant to CRS 6-1-711(2).
Nearly all credit card terminals are PCI compliant (or can receive a software download to become PCI compliant) but some pin pads are not, as they have the ability to store the pin number (the four-digit code for debit cards). Most dental practices do not have a pin pad. If you do have a pin pad, please call your merchant processor to find out if it is compliant. Several credit card processing companies are faxing and/or calling dental practices, telling them that their equipment is not PCI compliant. Keep in mind that they do not know what equipment you use – this is simply a marketing call to gain your merchant processing business.
If you have additional questions about PCI, please call your current processor or the Colorado Dental Association’s endorsed credit card processing company, Best Card at 877-739-3952.