Before I jump into this topic, have I told you lately that I LOVE reader email? REALLY love it. Why? Because it gives me ideas on content to bring to you! If you have a question or idea for a post, please contact me!
Dentist + Barber, by JD Hancock
Now, on to the goods. A reader asked me about compliance in a small medical office situation. How should someone approach it? You probably got a letter from someone with a Self-Assessment Questionnaire, and you are unsure what to do! Here are a few things to consider:
What Level Merchant are you? If you are a level 4, you do not have any mandatory reporting requirements per Visa, MasterCard, and Discover, but your processor or acquirer may ask you to provide details. It does not excuse your requirement to comply with PCI DSS (everyone MUST comply), but it does reduce the burden on reporting requirements.
How do you accept payment cards today? If you are a single office practice, you may not act differently from any other sole proprietor in your area. Do you have a small terminal separate from your computer system that you use to swipe cards? You may have a pretty easy task in filling out SAQ-B. The key is to make sure you batch out every day, and have your processor program the device in a way that does not store the payment information. If you are processing cards on your computer systems, are you just using a virtual payment terminal (fill out SAQ-C-VT) or are you swiping the cards inside your office management applications (SAQ-C or D)? The more integrated payment cards are into your systems, the harder it will be to comply.
Should you hire someone to help? I’m a consultant, so my answer to this question tends to be yes, but only if that someone is me. If I take my consultant hat off, I would say it depends on how sophisticated your knowledge of payment systems is. If you have worked with payment cards for a while, and have seen multiple implementations in companies larger than yours, you may not need to. That said, card acceptance can be pretty complex, and you may want to reach out to an expert. You can hire guys like me, which can be expensive (but extremely valuable, ESPECIALLY when you hire me… And so HUMBLE too!), or you can reach out to your processor and ask for their assistance. They have skin in the game if you have a breach, so they should be interested in chatting with you.
What things can I do to get me 95% of the way there? If you have a simple payment flow, map it out. Don’t forget about all of your business processes related to cards. Some examples might be authorization, settlement, clearing, reconciliation, chargebacks, marketing analysis, and fraud scoring. Map every place a card might go. Then understand what happens to the cards along each step in your map. Can you cut steps out? Is data being stored somewhere?
When small businesses are dealing with payment cards, they should remember the three Ds of Safe Payment Processing:
- Delegate (Outsource, you may pay an extra point, but you don’t have to worry about PCI DSS if you do it right)
- Destroy (After use)
- Don’t Store (Period)
Possibly Related Posts:
- PCI DSS 4.0 Released plus BOOK DETAILS!
- PCI Council Loses $600K in Revenue, PO Population on the Decline
- Why PCI DSS 4.0 Needs to be a Complete Rewrite
- Orfei Steps Down
- Should you be a PCI Participating Organization?