More than 898,000,000 (yes, that’s MILLION) records with sensitive information have been breached between January 2005 and April 2016 – and that’s just what has been made public! Standard security procedures and technologies can thwart theft of cardholder data and private information. It is the responsibility of the entities that store, process or transmit cardholder data to maintain compliance and set reasonable security standards to deter and if possible eliminate cardholder abuse. This includes merchants and service providers that don’t actually have a point-of-sale PIN entry device system. Stay in compliance by following the 12 steps that mirror security best practices.
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business “need to know”
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regular test security systems and processes
- Maintain a policy that addresses information security for all personnel
There are Self-Assessment Questionnaire’s (SAQ) available as a validation tool. Even if you are not an organization who self-asses their PCI Compliance, these questionnaires are a great tool to help you keep track of your company’s compliance. They can serve as reminders to check for new or changing circumstances within your organization, as well as verify existing policies.
One last word on cardholder data: Cardholder data should never be stored unless it is necessary to meet the needs of the business. Limit the retention time, and be sure to document the retention time in your data retention policy. Purge unnecessary stored data at least quarterly, and do not store sensitive authentication data after authorization is received, even if it is encrypted.
Hospital Receivables Service, Inc. offers full medical billing solutions for all medical practices including MD offices, ancillaries, and hospitals. We provide billing, insurance collection, early out collection, and bad debt collection. All collectors are properly trained, compliance is enforced, and there is a full time fraud examiner on staff. Contact us today at 800-940-2455 to see how we can maximize the return on your medical billing and collections.