By Dr. Precious Thompson
Every dental practice has to accept credit cards at some level. They provide a level of convenience and security for your patients that makes accepting them a worthwhile decision for almost every dentist, despite the associated costs and hassles placed on the merchant. In general, the credit card brands place burdens on the merchant rather than the cardholder, and this is perhaps nowhere more true than in PCI compliance requirements.
The Payment Card Industry (PCI) security standards are a set of requirements created to ensure a secure environment for businesses that process credit card payments. As far as it applies to dental offices, this is a set of 20 questions about how your office protects patient credit card information that a dental practice must be able to answer affirmatively via an annual questionnaire. Not only does maintaining PCI compliance better ensure that your patients credit card information is less prone to getting hacked or stolen, failing to stay PCI compliant typically means your practice will have to pay an extra fee each month.
Maintaining PCI compliance is not a one-time event, but a process that requires constant monitoring for weak spots to keep your patients’ financial information safe. No matter how large or small your dental practice is, you must comply with PCI rules and regulations. A whopping 90% of data comprise cases stem from small businesses that process 20,000 transactions or less every year. And a failure to comply with PCI regulations can result in a $10,000 penalty per transaction for your dental practice should a breach occur. To help in that regard, we’ve outlined four easy-to-follow tips to help you keep your dental practice PCI compliant.
1. Get Your IT Professional’s Help
PCI involves the technical system in which you process credit cards and payments, which is generally over the Internet (although for old systems it can be over the phone). One of the biggest components of maintaining PCI compliance is ensuring that the credit card transactions that initiate from your office make it securely to the credit card processor and back to your machine.
Ensuring this means that your Internet router and Wi-Fi need to be configured appropriately. Most dentists delegate technical tasks like router configurations to their IT person, and this should be no different, which is why a professional should come into the office set up the system review the technical PCI requirements and ensure your office is compliant from a technical perspective.
2. Develop Employee Best Web Practices
In addition to technical requirements, each business must also follow in-office best practices. The specific requirements depend on the size and how many payments they annually process, but for most non-chain dental practices, the requirements are the sort of thing you can meet by putting in best practices learned over a 1-2 session with your IT professional. One of the most important practices includes training all new staff on the office’s Internet security policies. Smart Internet usage policies like requiring employees to avoid malicious websites, limiting social media usage from the office wi-fi network and disposing of sensitive data properly also help minimize the risk of a virus initiated breach or stolen data.
3. Have a Unique Login for Each Employee
Never have one or two logins for the entire office. Only designated staff (front office, treatment coordinators) should be able to process payments for patients. And each of these staff members allowed to process payments should have their unique login and password that’s required every time they process payment. This ensures a solid trail if there is a problem or data was compromised, and enables you to better identify the cause if needed following a breach. When there’s only one password for the entire office, the system becomes more vulnerable to hackers since there’s only one code to crack, and with respect to internally compromised cards, it becomes difficult to identify the offender.
4. Track Network Activity
Credit card transactions have to be securely communicated from your office, to your processor, to the card brands, the issuing bank, and back again. But despite that long trail, the majority of breaches occur in the small portion of the transaction that takes place in your dental practice. Often the way this occurs is that someone maliciously accesses your network and starts stealing credit card numbers as they’re processed.
One way to make sure this isn’t happening is to track network activity. Every time someone uses the practice’s Internet network, there is a log of this activity automatically stored by your internet service provider. You can monitor this activity monthly to see who is using the network, for how long, and what they are doing while there. Rather than do this yourself, most offices have a monitoring service or their IT person look at all activity on the network and report questionable activity to them so that you can investigate whether it’s actually malicious.
Accepting credit cards in your dental practice is virtually a necessity for most offices. Unfortunately, with the ability to accept credit card payments comes a number of inconvenient obligations, one of the largest being maintaining PCI compliance. But by involving an IT professional to ensure that you’re technically compliant, developing employee best practices for the web, creating unique logins to process payments, and tracking network activity for unusual traffic, you can achieve PCI compliance without dramatically impacting your offices day to day operations or incurring exorbitant costs.