The PCI Compliance Challenge – Certification
This week, Ontario Systems announced the payment application fused with our Artiva Healthcare solution had been officially certified for compliance with the Payment Application Data Security Standard (PA-DSS) version 2.
For those of you whose eyes didn’t glaze over reading that sentence, you know how excited we are about that. For those whose did, blink a few times and keep reading.
Because even if you’re not a client of ours yet, chances are you take credit card payments. And if you take credit card payments, you should take a minute to learn why PCI certification matters.
If you store, transmit, take, or handle credit card data in any way, you’re subject to the Payment Card Industry Data Security Standard (PCI-DSS for short).
The PCI-DSS is a set of requirements that spell out how that information must be handled so patients are less exposed to identity theft, including stuff like:
- Protecting stored cardholder data
- Restricting access to cardholder data by business need to know
- Tracking and monitoring all access to network resources and cardholder data
Unlike HIPAA, which is a federal law, there’s no mandate as to how cardholder data must be handled. A few States might have laws, but compliance is important mainly as a matter of contractual obligation. To do business with Visa, Mastercard, etc., the organization has to have PCI certification. And in order to earn that certification, the payment application has to be compliant as well. That’s why the best healthcare organizations always operate in line with standards like the PCI-DSS. And after all, if being the best means protecting patients, and protecting patients means protecting their data, then the best hospitals are those that do so.
Of course, that’s a lot easier said than done – Some organizations try to develop their own systems, at a large expense, with a lot of risk. But no one wants the bad press, lawsuits, and lost business that comes along with a patient’s identity being exposed. So a lot of operations go after systems that have already been certified.
Those applications have been audited by a Qualified Security Auditor, who tests each by installing it in a test environment, and conducting a battery of forensics analytics to ensure cardholder data is securely routed and stored properly. We’ll cover some of those specifics later, but for now, understand that they are rigorous, extensive, and a massive headache for those who undertake them. So it’s often less risky and expensive – i.e. easier – to implement an application that’s already been certified.
We’re excited that we can officially say we can offer your business the peace of mind and savings that the PCI’s stamp of approval affords. A certified Payment Application doesn’t make you certified, but it certainly helps put you on the right track.