personal information. PCI DSS compliance is
required by all card brands.1 Using a third-party vendor will not preclude a business from
being PCI-DSS certified.
Using a credit card processor that is
Most credit cards on file are used for recurring payments and/or where patients use their
credit card frequently to pay for their healthcare services. In these instances, a PCI-DSS
vendor offers card vaults. A payment vault
and “tokenization” solution are the core of the
PCI solution and assist e-commerce. The payment vault is a secure location used to store all
patient credit card numbers. Once the credit
card numbers have been inserted into the PCI
vault, the practice receives a
token that can be used in the
future. The token can then
be stored freely on the practice servers, because there is
no way to decrypt the PCI
token to determine the original credit card number.
A payment vault is a secure location to protect
the patient’s credit card information. Once
the credit card number has been inserted into
the hosted PCI vault, the practice will receive
a token that can be used in the future.
token is a process where a primary account
number is replaced with a surrogate value
called a token.
The practice should develop a policy and pro-
cedure algorithm for processing payments
through a consent form mechanism. Once
the CCOF is set-up with a secure PCI-DSS
processor, the practice should ensure all their
internal processes are in place. The practice
should develop a policy and procedure for
how the CCOF payments will be processed.
The practice should also draft and approve
a consent form that the patient will sign prior
to their first payment being processed and a
policy on how the consent form will be pro-
vided to the patient. The practice must obtain
patients’ consent to process the charges on
their credit or debit cards under the Electronic
Funds Transfer Act (EFTA); otherwise it could
be an unauthorized purchase.
Policy and procedure
As part of the practice’s compliance program,
Penalties for non-compliance and
the practice should develop a financial policy
and procedure that outlines the process for
securing the patient’s credit card information.
Further, the practice should
conduct regular training on
this policy to ensure compli-
ance with any federal, state,
or local regulations.
The policy should out-
line the procedures for the
practice employees’ appro-
priate handling of credit and
debit card transactions. The
policy should also prohibit the practice staff
from maintaining information on the card-
holder in the practice.
The PCI compliance is maintained by the
industry standards body called PCI Security
Standards Council (SSC). The standards are
reinforced by five payment card brands:
Visa, MasterCard, American Express, JCB
International, and Discover. Each brand has
their standards for monitoring.
4 The penalty
for non-compliance with the PCI standards
can range from $2,000-$100,000 per month.
These violations are levied against banks
and credit card institutions and can be
The practice should
develop a policy and
procedure algorithm for
through a consent