South Florida Hospital News
Sunday August 25, 2019

test 2

April 2008 - Volume 4 - Issue 10




Beware! Every Entity That Accepts Payment Cards Must be PCI Compliant Now!

Many entities in the health care space accept various forms of payment cards e.g. credit cards, debit cards and others. What many providers of these services do not understand is that they are mandated to comply with the rules of the Payment Card Industry Data Security Standard (PCI DSS). Failure to comply with this mandate can lead to loss of payment card acceptance privileges, and civil as well as criminal penalties. Fines can range up to $500,000 per event.

The rules regarding compliance are complex and confusing. The initial version of the Self Assessment Questionnaire (SAQ), which is the document under the PCI DSS must be answered by all entities that accept payment cards. It divides merchants into four levels based on the number of transactions processed. The only distinguishable process characteristic that was used in determining the level was whether the merchant processed eCommerce transactions. An additional exception might be that a card brand could assign a merchant to a higher level based upon perceived risk or past breach or indiscretion.

New Requirements

On February 8, 2008 the PCI Standards Council announced the latest version of the Payment Card Industry Data Security Standard (PCI DSS) Self Assessment Questionnaire (SAQ), known as SAQ v1.1. The new SAQ represents a complete evolution from the previous SAQ known as v 1.0. The most critical change is that the category that a merchant falls into is determined by the configuration of how a merchant processes transactions and not by transaction counts. Further, that under the new rule set an attestation statement is required of all merchants on an MID basis. The attestation statement serves as the merchants certification that they are both eligible to perform and have performed the appropriate Self-Assessment.

The new SAQ divides merchants into five validation levels.

Briefly, SAQ Validation Type 1 are those merchants that transact in a card not present manner and all cardholder functions are outsourced. An example would be an eCommerce merchant utilizing a PCI compliant shopping cart, hosting service and payment gateway. Validation Type 2 merchants are those merchants who use imprint-only with no electronic cardholder data storage. Validation Type 3 merchants are those merchants who use a stand –alone dial up terminal with no electronic storage. Validation Type 4 merchants are those merchants whose payment application systems connect to the Internet and have no electronic cardholder data storage. IP terminal merchants will fall into this validation level. Finally, Validation Type 5 includes all other merchants (not included in descriptions for Validation levels 1 to 4 and all service providers defined by a payment brand as eligible to complete an SAQ).

So What Do I Do to Become Compliant?

This is the critical question that every entity that accepts payment cards must answer. The truth is there is no simple answer. However, significant help is available. A number of providers of integrated health payment programs have detailed PCI compliance programs in their offerings. The best example of this approach can be found at One Health System Group ( ). A significant effort has been extended to simplify the entire process to obtain compliance in a single seamless integrated approach. It is clearly worth investigating!

Rob Orkin, One Health System Consultant, can be reached at (888) 783-0911 or
Share |