This issue is full of helpful information regarding credit card security and returned refunds. Please let us know if you have any questions.
|Credit Card Processing Security Risks |
|Most providers give little notice to how patient credit card information is handled and stored in their offices. Our eyes were opened last week when IPC Partner Mary Ellen Duffy attended a security conference for billing companies that strongly warned of the risks to both us and our clients if we fail to implement PCI (Payment Cards Industry) standards. Failure to comply could result in large fines and lawsuits if credit card information is breached. As a results, we believe we have no choice but to implement a new process to handle patient credit card information.|
Currently, our staff takes patient credit card payment information over the phone. We write the cardholder's name, credit card number and security code on a form that we send to your office for processing (via fax or courier). That information is also on patient statement stubs sent to your offices for processing. However, the PCI standards say:
To fully comply with PCI
standards, IPC has decided to implement the use of a secure portal to
process credit card payment information. Your
office will be receiving a fax this week with more information
regarding the secure solution. Please respond to the fax as soon as
- Storage and retention of card data must be kept to the absolute minimum required for the business, as documented in a data retention policy you maintain (requirement 3.1).
- Never, ever write down the card verification code (the 3 or 4 digit code) (requirement 3.2.2).
- Never send card holder data by an insecure mechanism (courier can be considered secure if a secure, sealed package is delivered and detailed audit log is maintained) (requirement 4.2).
- The paper must be stored and processed in a locked, restricted area with many strict access control mechanisms, including visitor log and camera (requirement 9.1, 9.7, 9.8, and 9.9). Most likely your fax machine is not a secure location.
- The paper must immediately be destroyed by being shredded (requirement 9.10).