The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

Transcription

1 Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

2 PCI and HIPAA Compliance Defined Understand the difference between PCI and HIPAA Compliance. Learn how to become PCI compliant. PCI-DSS to Keep Merchants in Business Current digital data management practices are inadequate leaving businesses vulnerable to hackers and criminals. Data breaches are more costly than the expense of becoming PCI Compliant. Previous Options Before PCI DSS, individual credit card companies had their own processing guidelines. As the worldwide internet developed, new security issues became evident. Solution The expansion of ecommerce led the five major credit card companies to merge processing guidelines into one shared standard known as PCI DSS. Benefits Avoid penalties of non-compliance Protect business assets Increase Consumer Confidence Reputable web presence and rankings Implementation 1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. 3. Encrypt transmission of cardholder data across public networks. 4. Protect stored cardholder data. 5. Use and regularly update anti-virus software for programs. 6. Develop and maintain secure systems and applications. 7. Restrict access to cardholder data by business need-to-know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. 12. Maintain a policy that addresses information security for employees and contractors. Summary PCI Compliance is required for credit card payments acceptance. The benefits compensate the expense involved in the compliance process.

3 PCI and HIPAA Compliance Defined PCI-DSS to Keep Merchants in Business The worldwide internet once seemed like something out of a Sci-Fi movie. Now, it is at the core of all we do. Technology advancements and the introduction of ecommerce opened opportunities for businesses to pass their local thresh-holds offering them a larger presence in the merchant world. Medical practices now have the advantage of internet access to insurance coverage and research tools to increase productivity and lower administrative costs. The Achilles' heel of commerce is the constantly evolving technology. Criminals prey on those lacking the knowledge to efficiently protect data. Prevalent digital data breaches place personal health and credit card information at risk of manipulation and theft. Technology s benefits come with serious challenges, requiring data security standards to be implemented and enforced. The two most accepted and recognized standards are the Payment Card Industry Data Security Standards (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA). While there are some similarities, the two standards are often confused but very different.» The Payment Card Industry Data Security Standards (PCI-DSS) focuses on how credit card payments are processed and stored in order to prevent fraud.» Health Insurance Portability and Accountability Act (HIPAA) focuses on how healthcare information is accessed and stored to protect patient privacy. The goals are the same; to protect. While PCI-DSS applies to anyone accepting credit card payments, HIPAA is focused on the healthcare industry. PCI-DSS acts as the foundation for HIPAA for many healthcare facilities. Compliance with PCI Data Security Standards is critical because current digital data management practices are inadequate, leaving businesses vulnerable to data breaches. According to the Ponemon Research Institute, LLC:» The average organizational cost of a data breach is $7.2million for 2010.» Negligence is the cause of 41% of data breaches.» Malicious attacks cause 31% of data breaches.» System glitches cause 27% of data breaches. The History of PCI-DSS Before PCI-DSS existed, individual credit card companies had their own processing guidelines. As the worldwide internet developed, new credit card processing security issues became evident. In 2004, American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. integrated their five separate data security compliance programs into one standard. All five brands equally govern what is now known as PCI-DSS. The Benefits of PCI-DSS» Increase Consumer Confidence resulting in repeat business» Improve reputation with acquirers and brands» Prevent security breaches and theft, protecting assets» Avoid penalties of non-compliance» Gain reputable web presence and better Google rankings The Consequences of Non-compliance» Lawsuits Insurance claims» Cancelled accounts» Payment card issuer fines» Government fines

4 Implementation of PCI - DSS 1. Install and maintain a firewall configuration to protect cardholder data. A firewall can either be a downloadable software program that runs in the background or, hardware that connects between the modem and a computer. Both types act as a fence to keep out intruders. Software is less expensive but its more susceptible to malware. Hardware is more expensive but it does a better job, is less intrusive and unaffected by malware. Use both types of firewalls for better protection against unauthorized access and visibility to network traffic. 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Using defaults, repeating characters, sequences or personal information is a common mistake when setting a password. Longer passwords mixed with letters, numbers and symbols are better for data breach prevention. Changing passwords once a month adds more security. Below are a few extra security options to help manage confidential information.» Business Desktop Lock limits specific features and applications to users.» Password Protected Internet limits usage for specified users and time frames.» Non-internet programs on a hard-drive can be password protected.» File Lock Protection limits access to specific files within a specific computer or server.» File Pulverizer securely erases files and folders as well as disks and SD drives. 3. Encrypt transmission of cardholder data across open, public networks. Encryption converts data into indecipherable text that can only be switched back to its original form with authorization. Payment authorization information is encrypted before being sent across a network. Below are a few different types of data encryption.» Symmetric: Files are encrypted and sent to user. A key for accessing the information is sent separately. An example would be when a password is sent to an address instead of being directly obtained.» Asymmetric: Files are encrypted and sent to user. Two separate keys are created. One is private and the other is public. This allows anyone to encrypt the data but only user to decode the data. An example would be an encryption of personal health information being sent to a doctor. Anyone can encrypt the data but only the doctor can decode data.» Tokenization: Protects sensitive data by replacing it with alias data tokens which are irrelevant to unauthorized viewers. The tokens are random and useless to hackers unlike decryption keys which can be intercepted. 4. Protect stored cardholder data. The PCI-DSS council requires terminals to comply with pin entry device security requirements. Payment data should not be stored in computers, laptops, smart phones or any other endpoint devices. Personal payment information should not be accessed from unsecure locations. All confidential data should be encrypted and password protected.

5 Implementation of PCI - DSS 5. Use and regularly update anti-virus software or programs. Firewalls do not detect viruses and malware so it is important to run separate anti-virus and spyware programs which detect and remove infections and another malicious malware. 10. Track and monitor all access to network resources and cardholder data. Tracking user activities reduces the impact of a data breach because the user logs make investigating a compromise possible. Audit history should be kept for one year 6. Develop and maintain secure systems and applications. Monitoring systems for security vulnerabilities and updating patches protects against misuse by employees, external hackers, and viruses. Secure coding techniques should be used during development. 11. Regularly test security systems and processes. Testing on security adequacy identifies weaknesses and prevents expensive data breaches. New vulnerabilities are discovered all the time. Quarterly external scans must be run by a PCI-DSS qualified vendor. 7. Restrict access to cardholder data by business need-to-know. Confidential information should not be unnecessarily available. Only authorized personnel should have access on a need-toknow basis. EFT server settings can allow or deny access based on IP address. 8. Assign a unique ID to each person with computer access. Users should have a unique ID to access systems. Access should be authenticated by a password or token device. When confidential information is accessed remotely two-factor authentication, or two different types of evidence should be required for verification. Passwords should be strongly encrypted during transmission of data. 9. Restrict physical access to cardholder data. 12. Maintain a policy that addresses information security for employees and contractors. Strong security policies set the standards and an expectation for how confidential information should be handled. Unused policies lead to failed PCI DSS assessments. Individual responsibility for protecting sensitive data must be communicated thoroughly. Summary on PCI-DSS PCI Compliance is regulated by payment card companies. Members agree to contract terms. Compliance is required on each per-merchant ID (MID). Penalties for non-compliance will cost a merchant between $100,000 and $500,000 per a compromise. Meeting PCI DSS standards is important to the security and protection for both merchants and consumers. Meeting requirements for PCI DSS lays the foundation for HIPAA compliance. Restricting access to cardholder data systems will prevent the removal or misuse of confidential information. When card holder data is no longer necessary, it should be securely destroyed in a way that it cannot be recreated. Printed files and folders should be purged and shredded.

6 HEALTHCARE MERCHANT SERVICE PROVIDER What We Do NTC Texas, headquartered in Las Colinas, TX, is among the nation s premier provider of healthcare solutions, traditional payment processing, and wireless/mobile processing technologies. We offer customized credit card processing solutions specially mapped out for businesses of all types and sizes. NTC Texas comes equipped with extensive merchant service industry knowledge, industry partnerships, and specialized processing solutions. NTC Texas provides an innovative approach to providing traditional merchant payment processing and non-traditional wireless/mobile processing services for various industries such as retail, specialty retail, healthcare, e-commerce, non-profits, lawyers, manufacturers, online, mail order, and telephone payments and more. For assistance with your facility needs, contact us today. Simplifying Healthcare Payment Processing NTC Texas PaymentCare Powered by Instamed. 106 Decker Court, Suite 260, Las Colinas, Texas p: t: f: For full information about the features and functions of NTC Texas s PaymentCare product and services, please contact us at ntctexas.com/contact. NTC Texas is a Better Business Bureau Accredited Business with an A+ Rating, we provide outstanding customer service with an emphasis on customer relationship management.