The PCI challenge


The PCI challenge

Credit card security is an area of growing concern in the healthcare world. Michael Kanarellis, IT assurance senior manager for Wolf & Company, explains the implications of the PCI DSS and why it is so important that healthcare organizations take action.

Most healthcare organizations have been understandably focused on HIPAA, HITECH, and Meaningful Use regulations recently—yet credit card fraud and breaches continue to rise due to a lack of proper data security controls around their internal credit card infrastructure.

"As larger organizations spend billions on security measures hackers will gravitate to targets with fewer security measures and they have collectively turned their attention to healthcare." 

Since the Payment Card Industry Data Security Standard (PCI DSS) was developed by four major credit card companies in 2006, healthcare organizations could now be subject to fines, held liable for losses resulting from a compromised card, or may lose their merchant status if adequate security controls are lacking. As credit cards are being accepted at physicians’ practices, cafeterias, parking garages, and pharmacies, to name just a few, the opportunity for lapses in data security controls are high.

The PCI DSS has garnered much more attention in the healthcare industry recently due to a few major factors. Consumer controlled healthcare has led to an exponential increase in individual patient payments. The majority of patients use their own credit or debit card to make co-payments and pay larger portions of their bills as the prevalence of higher deductible health insurance plans, health savings accounts, and flexible spending accounts grow. Naturally, as patients become more involved in the payment of their services, an increase in security concerns around the data security controls in place to protect those cards will rise as well.

A secondary factor is that as larger organizations spend billions on security measures hackers will gravitate to targets with fewer security measures and they have collectively turned their attention to healthcare organizations. Additionally, the nature of the decentralized approach that many healthcare organizations have around processing credit cards makes them a greater target for organized hacking groups

Finally, many local and national banks are requiring their corporate clients, which include hospitals, managed care facilities, and long term and acute care organizations to perform a PCI DSS gap analysis and fill out the self-assessment questionnaire.

Analysis of business 

The objective of any thorough PCI DSS review is to first define the current card holder data (CHD) environment, identify CHD security weaknesses, and propose recommended changes based on information obtained through the assessment process. The output of this process can then be used to reduce the cost and difficulty of implementing and maintaining PCI DSS security controls, thereby reducing the overall risk to healthcare organizations.

To accomplish these objectives, the business processes and system components of the healthcare organization connected to the CHD environment should be reviewed. This also means analyzing CHD environment data flows to ensure that storage and transmission of CHD is properly secured per the PCI DSS.

Business lines that should be included are:

  • Hospital main campus 
  • Physicians’ practices 
  • Cafeterias 
  • Cafes 
  • Parking garages 
  • Hotels 
  • Payment offices 
  • Donation offices 

The list above is not all-inclusive and your organization’s business may differ slightly. For each business line you must interview key employees regarding the business processes surrounding CHD storage, processing, and transmission. Once you understand your business line’s processes, you must analyze them for PCI DSS compliance issues, business process design flaws, and security weaknesses.

Analysis of IT system 

In addition, you must evaluate the system components that store, process, and transmit CHD from a design perspective. Working with your internal IT Department, you must analyze the system components for infrastructure PCI DSS compliance issues and security weaknesses. The 12 PCI DSS requirements below will be helpful in this phase of your analysis.

Build and maintain a secure network
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Implement strong access control measures
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly monitor and test networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an information security policy
Maintain a policy that addresses information security

The PCI DSS requirements are extensive and offer a level of complexity in data security requirements not seen before in payment operations. If you don’t have the internal capabilities to perform a complete assessment, we recommend you utilize an independent third party auditor. It’s not a matter of if, but when, you will have to comply with these standards and mitigate credit card data security threats. 

Michael Kanarellis is IT assurance senior manager for Wolf & Company. He can be contacted at:

Michael Kanarellis, Wolf & Company, US