Payment Card Security

Jul 22, 2025 at 03:27 pm by kbarrettalley

Janet Day, MBA, CMPE
Janet Day, MBA, CMPE

Confirming Your Compliance With DSS v4.0 

By Laura Freeman

“It isn’t a federal regulation, but if you want to be able to accept credit card payments without fines or undue legal and financial risks, it’s important to be diligent in making sure your office is in compliance with current payment card industry data security standards,” Janet Day, senior healthcare advisor for Kassouf & Company, said.

“DSS 4.0 has been implemented over the past two years and became fully effective a couple of months ago. A few tweaks are now being added under 4.1. Complying with these security measures are part of the contract you signed when you were approved to accept card payments. Failing to meet these standards, even if you simply misunderstood or relied on incorrect advice from someone, could cost you thousands of dollars and possibly affect your ability to accept cards for future payments.”

The first set of standards was established in 2004 when American Express, Discover Card, Mastercard and Visa came together to create a security plan to counter the efforts of increasingly ingenious thieves who are continually coming up with new ways to steal information remotely through data systems. The security standards have continued to evolve with fresh counter measures to block whatever new routes cyber criminals try to use.

These security requirements apply to all organizations that accept card payments using a swipe or similar technology, take card payments over the phone, keep card numbers on file or transmit them.  In addition to being compliant, third parties that your digital and communications systems interact with should also be compliant. That includes practice management software, accounting programs like Quickbooks, online banking services, collections services and other card services and third party reimbursement systems.

“The security requirements focus on preventing breaches, fraud, and keeping private data safe,” Day said. “In addition to maintaining and regularly updating firewalls and protecting against malware, you need multifactor authentication. You should also have a policy that keeps passwords strong and regularly updated.”

Encryption of sensitive data, and disposal when it’s no longer needed are also important. You will also want to monitor for suspicious activity and set up and document a vulnerability assessment program.

“You’ll need to find a service that can perform an annual vulnerability scan,” Day said. “An annual risk assessment is also essential, and this is where many organizations make a misstep that can lead to problems later. Large companies like big box retailers that accept an enormous number of card payments can employ certified experts who can examine every aspect of their card payment system, and verify that it is in compliance with all requirements. However, becoming certified is a long and arduous process, and someone with that expertise can be very expensive. For a practice that accepts a relatively small volume of cards, the costs may not fit into the budget. However, it is possible to find people who are highly trained in this area who may not yet be certified, but can offer good advice.

“Where organizations with a smaller digital footprint tend to get into trouble is that they may hire freelance IT people to set up their systems, which allows them to save money. When the form for the annual assessment comes in, the person responsible for compliance may have other responsibilities to manage and may not be that knowledgeable about the more in-depth issues. So they send the form to their IT guy, who is an expert in hardware but may not know that much about the specifics of how their client is managing compliance. They may assume their client knows whether they are in compliance. They just sign the form and send it back. Whoever is responsible for returning the form sees the IT signature and thinks they must know if they are in compliance. They return the form unaware that they could be vulnerable to hacks, fines, and legal costs from patients whose card information is compromised.”

Regular training for every member of staff who has access to card information, and staying current on training new hires, are a good first step in preventing problems. Also, limit access to card numbers to those who have a need to know. Think about who can see card numbers. Is this someone you would trust with your wallet?

“We don’t want to stress anyone, but we do want you to be sure you aren’t left vulnerable by misconceptions and myths. You can go online and find spreadsheets from the card companies you do business with that list the most common questions, answers and data points you are likely to need to understand. It’s called the prioritized approach tool for PCI DSS v4.0,” Day said.

Reviewing spreadsheets may not be the most exciting way to use your time, but when you learn what you need to know, you can relax, and get back to the work you enjoy.

Sections: Business

Related Articles

Phillip Cem Cezayirli, MD Reframing the risks: When Imaging is the Right Call for Head and Brain, and Spine Symptoms
Angie Smith New Policy Guidelines for Hospital Pricing Issued by the Centers for Medicare & Medicaid Services
Make America Healthy Again Commission Lays Foundation for Regulatory and Legislative Action
Jim Hoover Not Your Every Day Top Ten List
Kevin Bonner AI Software Helps Healthcare Providers Receive Better Reimbursement Rates
Ron Shoe HIPPA Security Alert


July 2025

Jul 26, 2025 at 09:54 am by kbarrettalley

Your July 2025 Issue of Birmingham Medical News is Here!