“Credit Card HIPAA”
The credit card industry has their own HIPAA-style set of security standards for protecting card data. It’s called Payment Card Industry Data Security Standard, or PCI DSS or, for short, just “PCI.”
PCI is like the HIPAA Security Rule in that it is a security standard you must follow. It is unlike HIPAA Security in that it is not by itself a law, but rather it is a set of industry standards that you agree to abide by when you sign the contracts for becoming a “merchant” who can accept credit cards.
Complying With PCI DSS
The major “card brands” (e.g. Mastercard, Visa, American Express, etc.) each have their own requirements for PCI DSS compliance. They’re not all the same, but they are similar. All of them are based on the standards set by the Payment Card Industry Security Standards Council (PCI SSC.)
Take Mastercard and Visa, for example: businesses that perform fewer than 20,000 credit card transactions per year (you probably do if you’re a private practitioner) need to comply with PCI but have lighter requirements for proving compliance. They need to fill out a self-assessment questionnaire and submit an attestation of compliance every year. If these businesses maintain a network of payment card processing equipment (you might or might not — it depends on what kind of reader you use), they are required to get their network scanned by an approved assessor every quarter. (Mastercard, 2016) (Visa, 2016)
Despite all that: in practice, any given business’ requirement to prove their compliance with PCI DSS is generally set and enforced by the company that provides that business’ credit card processing services.
Some credit card processing services may require you to fill out forms attesting that you are PCI compliant or perhaps perform other activities to prove compliance. They will generally guide you through what you need to do. With some credit card services, you may have to hire compliance helper services to help you keep up with PCI compliance. Most services that require you to demonstrate PCI compliance also charge you a PCI compliance fee.
Internet-Based Payment Services to the Rescue(?)
Most of the “quick and easy” payment processors, e.g. Square and PayPal, will allow you to get by without demonstrating PCI compliance at all. They do so by closely controlling the environment in which payment card information gets collected. E.g. Square encrypts card data the moment you swipe it and doesn’t decrypt it until it reaches the Square company servers, and PayPal makes all payment information get entered directly on their website instead of yours. In other words, they keep your hands clean of all payment card information — so long as you use them as directed.
Unlike with HIPAA compliance, companies can take a large amount of PCI compliance burden off of you in this way. HIPAA requires you to perform a whole set of compliance tasks regardless of what services you use. PCI simply requires you to secure the unsecured card information that you handle. When your processor takes over the handling of card data for you, your compliance burden is reduced and their risk is increased. This, among other things, is why such services charge you higher finance rates for each payment you collect.
The problem with these “quick and easy” solutions is that while they remove an enormous burden, they don’t actually remove the requirement that you comply with PCI. If you start to handle card information outside of their walled gardens of protection, then your compliance needs rise sharply. For example, we have an entire article on the PCI compliance issues that arise when therapists hold on to client credit card information so they can charge it later.
In general, hiding PCI compliance issues from you creates the risk that you may unwittingly violate it. Best for you to understand your basic PCI needs whether your processing company requires it or not.
What Happens If I Don’t Comply With PCI DSS?
The “good” news is that there isn’t a Federal government agency that will prosecute you for non-compliance.
If you suffer a confidentiality breach that involves a client’s payment card information, you may lose your ability to accept cards. Further repercussions will depend on your state law (and any applicable future laws that come after the writing of this article.) Nearly every state in the union has laws that govern what happens to businesses that suffer data breaches impacting their customers. Some of those data breach laws provide extra punishment for businesses that have breaches of payment card information and were not PCI compliant, while others may simply protect businesses that suffered those breaches despite being compliant.
In general, we strongly recommend that all private practitioners who take payment cards comply with PCI DSS. Those who use more “classic” processing services will likely receive instructions for compliance. For those who use simplified payment services like Square and PayPal, we recommend using them in their standard defined ways so that they can cover your PCI DSS needs for you.