Identifying Common Obstacles to PCI Compliance
Aug. 22, 2017
By Angela K. Hipsher-Williams, CISA, QSA, and Jonathan J. Sharpe, CISA, QSA
Cybersecurity remains a top focus for healthcare organizations, as cyberattacks and data breaches at major U.S. healthcare systems continue to make headlines. One area of cybersecurity that has come under increased focus is payment card industry (PCI) compliance.
All entities that store, process, or transmit cardholder data must comply with the PCI Data Security Standard (DSS), and healthcare organizations are no exception. PCI compliance applies to all card transactions, whether the transaction takes place in person, such as processing a patient copay or purchase at a cafeteria; over the phone, such as through a call center; or online, such as via an e-commerce site or patient portal website. The PCI standard was developed to encourage and enhance cardholder data security and to facilitate broad adoption of standards for consistent data handling. Noncompliance can leave organizations open to negative legal and financial consequences, including fines, reputational damage and loss of business, and increased cybersecurity insurance premiums.
Despite the consequences for noncompliance, healthcare organizations too often fall victim to common pitfalls that can lead to noncompliance. Recognizing – and addressing – those pitfalls can help organizations avoid the consequences associated with PCI noncompliance.
Understand PCI Scope
A major trap healthcare organizations often fall into when it comes to PCI compliance is misunderstanding PCI scope. Frequently, healthcare leaders and their staffs assume PCI compliance is in place across the organization when, in fact, it is not. PCI compliance involves a specific set of requirements that must be met, and simply assuming compliance is taking place is not enough. (See below for a list of the 12 PCI DSS requirements.)
The PCI DSS explicitly states that all institutions that store, process, or transmit cardholder data must comply with the requirements. Compliance includes systems that attach to or support the infrastructure of the cardholder data environment – in other words, systems that can affect the security of cardholder data. Such systems include databases, applications (including email, call recording software, and point-of-sale software), operating systems, network devices, and servers.
One common misconception is that when an organization outsources card data processing to a third party, it does not need to follow up on compliance. While some of the risk is outsourced with third-party data processing, the organization still must comply with the standard. Third-party vendors often are present on a healthcare system’s network, or they might connect remotely. Examples of this arrangement include parking garage fee collection kiosks, cafeterias, gift shops, and equipment rental locations. A good rule of thumb is this: If a system can affect the security of cardholder data, it is within scope and is therefore subject to the PCI standard.
Another challenge with PCI compliance that healthcare organizations often experience concerns network architecture. Typically, most healthcare organizations operate on a flat network in which communication is unconstrained among systems. This type of network could allow for the spread of malware and targeted attacks between otherwise unrelated systems. Ideally, organizations should operate on a more segmented network, which compartmentalizes and restricts network access. When built appropriately, segmentation can limit the scope of compliance to only the systems that are storing or transmitting cardholder data.
Determine PCI Compliance Responsibility
PCI compliance problems among healthcare organizations often are a result of the industry’s unique challenges and structure, including the way in which healthcare organizations are set up. Many are decentralized and have multiple levels of leadership and management. This inherent structural complexity can make it difficult to determine who is responsible for various business and IT requirements, including PCI, and to safeguard that each department is operating under the same policies.
Often, the IT department is assumed to be the party responsible for PCI compliance. However, IT serves as a support mechanism to the organization, enabling it to process credit card transactions. The organization overall must take responsibility for PCI compliance. This can be done through formation of a PCI compliance steering committee made up of representatives from across the organization.
A successful PCI compliance program means having a governance team in place that includes stakeholders from both the business and IT sides of the organization. This team should have overall ownership of PCI compliance within the organization, and it should have oversight of development and approval of all centralized policies, procedures, and processes for compliance. In addition, this team should communicate PCI and overall security awareness and provide training throughout the organization.
Consult PCI Specialists
Because of the decentralized nature of many healthcare organizations, numerous relationships may exist with multiple processors and acquiring or merchant banks, leaving the total number of credit card transactions distributed among many sponsors. Validation requirements are based on the number of transactions processed in a year, and for PCI compliance, a merchant can fall into one of four levels, depending on its annual number of transactions, with level one being the highest. While levels two through four have the same annual reporting requirements, level one has higher levels of reporting requirements because of the risk.
Unless the number of transactions is aggregated by the card brands and acquiring banks for all pieces of an organization, it may result in lower-level reporting on compliance for that organization. For example, a healthcare organization might have 15 individual clinics. Even if all of the clinics’ credit card transactions are going to a single bank, if the bank looks at the clinics as 15 individual clinics, each clinic would most likely be a level two, three, or four merchant. However, if the bank aggregates the transaction totals to view them as coming from one overall organization, the organization would be on the other end of the spectrum as a level one merchant and thus would have higher reporting requirements. Given this situation, most healthcare organizations should understand their merchant level and continue to assess their compliance on an annual basis, regardless of how an acquirer views the organization.
Ensuring PCI compliance involves acquiring knowledge about the interpretation of the requirements and understanding all processes and systems that need to be assessed in validation efforts to keep patient cardholder information secure. Often, those in the organization who are most knowledgeable about the PCI DSS are not sufficiently independent from the management of the systems to perform an unbiased assessment of the controls. In this case, organizational leadership should consider hiring a qualified security assessor who understands the intricacies behind PCI compliance to help avoid the risks and penalties associated with noncompliance.
12 PCI DSS Requirements1:
- Install and maintain a firewall configuration to protect cardholder data.
- Use organization, not vendor-supplied, defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data based on who has a need to know for business purposes.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
1 “PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard Version 2.0,” PCI Security Standards Council, October 2010, https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf