Why Healthcare Providers Must Comply with PCI DSS
When patients use credit cards to pay for health services, providers must meet the requirements of the payment card industry’s new Data Security Standard
As a healthcare provider, you are governed by the Payment Card Industry’s Data Security Standard (PCI DSS) if you process, transmit, or store cardholder data. In the same way that your compliance with HIPAA is required to protect your patients’ health information, compliance with PCI DSS is required to protect your patients’ payment information. This is true:
- When you accept a co-pay by credit card
- When a patient hands you a debit card to cover their office visit
- When you accept a prepaid card in payment for a medical supply, such as a brace the patient needs, or for a service
- When a patient provides their credit card information online to pay their medical bill.
There are numerous other payment card acceptance scenarios that require your compliance with the PCI Data Security Standard. You have a responsibility to know and understand them, just as you are required to understand and comply with HIPAA.
Brief History of the PCI Data Security Standard
The Payment Card Industry’s Data Security Standard (PCI DSS) was introduced in 2004 in response to escalating credit card fraud and the need for a common set of data security standards in the industry. The founders were American Express, Discover Financial Services, JCB International, Mastercard, and Visa. Prior to 2004, Visa had been the first major card company to develop its own data security standards.
These payment companies created an independent PCI Security Standards Council to manage and administer the Data Security Standard across retailers, merchants, and service providers who accept payment cards (credit or debit) as well as merchant banks and payment processors. Over time, the PCI DSS has become the exclusive, uniform standard for card payment security for businesses worldwide, including healthcare providers, insurers, and healthcare business associates who accept card payments.
Since 2004, the PCI Data Security Standard has steadily evolved to address new threats, promote best security practices, and provide clear guidance to users. Among the
most important updates are:
- PCI DSS 1.1: Released in 2006, this version required merchants to review online applications and establish firewalls.
- PCI DSS 2.0: Released in 2010, this version streamlined the risk assessment process.
- PCI DSS 3.0: Released in 2013 to focus on education and awareness.
- PCI DSS 3.1: Released in 2015 to address vulnerabilities in SSL protocol.
- PCI DSS 3.2: Released in 2016, this version addressed growing threats to customer payment information at that time.
- PCI DSS 4.0: Released in 2022, this landmark version imposed 64 new security requirements, reflecting the acceleration of phishing schemes and ransomware exploits, addressing ongoing hacking incidents leading to data breaches, and accounting for new security tools and technologies.
- PCI DSS 4.0.1: Released in 2024, this ‘housekeeping’ version corrected typographical errors and added clarity to v4.0 specifications while keeping the majority of requirements intact. PCI DSS 4.0.1 is now the only active version of the standard, and the deadline for compliance with its requirements is March 31, 2025.
PCI DSS and HIPAA are Complementary
If you accept credit card, debit card, or prepaid card payments for your services, you are required to comply with the PCI Data Security Standard regardless of the size or number of card transactions you handle annually.
Consumer payment card information is just as proprietary and sensitive as patient protected health information in all its forms, whether paper (PHI) or electronic (ePHI) or other format. Just as your compliance with HIPAA is designed to protect your patients’ health information, compliance with PCI DSS is designed to protect your patients’ payment information.
The two sets of security requirements work alongside each other in a complementary fashion, creating secure environments for the data they govern. It is your responsibility to understand and comply with both sets of requirements. And even if your healthcare business is the rare exception not subject to HIPAA, that doesn’t let you off the hook for PCI DSS if you accept card payments.
Actions Required Under PCI DSSIf your organization hasn’t undergone a PCI DSS compliance assessment in the past 12 months, you will need to have an assessment conducted against the PCI DSS 4.0.1 standard and documented appropriately. Assessments are required annually. In all, four actions are essential to compliance with PCI DSS 4.0.1, beginning with assessing your security risks and remediating identified vulnerabilities, followed by documenting your assessment findings and maintaining compliant practices going forward.
Step 1: Assessing Security Risks to Your Payment Card Data
This step begins with a scoping process to identify the locations of all payment account data within your hospital, medical center, healthcare practice, or pharmacy. You will need to take an inventory of all information technology assets and business processes associated with payment processing. You must analyze those processes and assets for vulnerabilities that could expose card payment data to hacking and other unauthorized access, and then implement or update all the necessary security controls to protect that data. These controls are detailed in the PCI DSS 4.0.1 requirements document in the PCI DSS Library.
To close this step, you will need to complete a formal risk assessment, which is required annually. There are nine types of Self-Assessment Questionnaires (SAQs) for use in assessing your PCI DSS compliance, including SAQ A, SAQ A-EP, SAQ B, SAQ B-IP, SAQ C, SAQ C-VT, SAQ P2PE, as well as a SAQ D for service providers and a SAQ-D for merchants and retailers. Depending on the SAQ applicable to your environment, you will also need to conduct quarterly external vulnerability scans, which are a specific type of vulnerability assessment, as part of your compliance.
Step 2: Resolving Those Security Risks
This step requires identifying and addressing gaps in your security controls that were found during the risk assessment. All vulnerabilities identified during the assessment must be prioritized and resolved. It is best to develop a remediation plan and timetable to ensure steady progress toward gap resolution. This step also requires you to implement secure business processes where needed, as well as to securely remove any payment data that is being stored unnecessarily or beyond its use. With 64 new security requirements in the new PCI DSS standard, most organizations will discover additional vulnerabilities as compared to previous assessments
Step 3: Documenting Your Assessment Findings and Resolutions
Your assessment findings will need to be documented in the applicable Self-Assessment Questionnaire (SAQ) you identified in Step 1. You’ll also need to complete an Attestation of Compliance (AOC) form to testify that your self-assessment results are valid. If you engaged the services of a qualified risk assessment firm to assist in your risk assessment, they will be able to validate your assessment results (in addition to navigating the process for you).
Step 4: Monitoring and Maintenance
This activity is not a final step but rather a required ongoing activity. You must put in place a process for constantly monitoring the security controls and safeguards you implemented in Step 2 to secure payment account data in order to make sure those controls remain active and current regardless of changes or updates you might make to your payment card policies and procedures.
The Difference is the Data
.png?width=220&height=220&name=images%20for%20Blog%20-%203-18%20%20(1).png)
No doubt these steps are ringing a very familiar bell. That’s because the actions required for PCI DSS compliance are remarkably similar to those required for compliance with the HIPAA Security Rule. The primary difference is the focus on payment card data, as opposed to the focus on patient healthcare data.
Today, most organizations must comply with security requirements imposed by multiple sources, including healthcare entities. Security best practices, cybersecurity frameworks, and security regulations are evolving into sets of universal standards that cross industry lines, becoming more similar as those lines continue to blur.
The HITRUST Framework is one of many examples—incorporating HIPAA requirements as well as elements of NIST, ISO, and other widely accepted security standards. This universality has made it much more convenient for organizations of all sizes and types to navigate compliance with today’s multiple, but increasingly similar, security requirements.
Expert Assistance is Available Now
If you prefer to engage expert assistance toward compliance with the new PCI DSS, schedule your first step soon. Despite the official compliance deadline of March 31, 2025, you can demonstrate good faith and intent to comply by beginning your compliance process now. It is never too late to do the right thing.
There are many professional options to choose from, including 24By7Security as one example. Our firm is highly experienced in all aspects of HIPAA compliance, from the security and privacy rules to the data breach notification rule, to patient right of access, and other critical requirements. In addition, our experience includes PCI DSS compliance, HITRUST CSF implementation, NIST CSF adoption, and many other security requirements. We have assisted hundreds of organizations with compliance initiatives and conducted more than 3,000 security assessments.
24By7Security is a Qualified Security Assessor Company authorized by the PCI Security Standards Council to assess clients against the PCI DSS standard and certify them for compliance. And, as a HITRUST Authorized Readiness Licensee, we are able to assist organizations seeking to adopt the HITRUST CSF Framework. Contact us for a complimentary consultation.
