As a business owner, PCI Compliance, or payment card industry data security standards, should be a priority, but too often owners are given poor advice or simply haven’t found a way to fix the problem of collecting and storing credit card data. Here’s 3 major mistakes and how to fix them.
MISTAKE 1: PATIENT CARE MANAGEMENT AGREEMENT & INTAKE PAYMENT FORM- PAPER
Most companies have an intake form with terms and conditions for payment, which includes fields for credit card authorization with full card data.
Employers entrust home health care provider staff and contractors with people’s lives, so surely they can be trusted with credit card information too, right? Not necessarily. Whether intential or by mistake, there are many ways the data can be compromised, and as an owner, the penalties in the event of a breach leading to identity theft could be crippling.
- What if the forms are left in a car (lunch breaks, forgot to bring them in house overnight etc) , and they’re stolen?
- How are forms returned to the home office for processing? Are those methods secured every step of the way?
- The form needs to be cross-cut shred. If the right shredder isn’t provided for home offices, how can one be sure the employee invested in one?
- Merchants can never store the CVV or security code. If the form is needed for any purpose, can the sensitive payment data be cut off and shred without compromising the purpose of the document?
MISTAKE 2: RECURRING BILLING PROCEDURES
There’s a variety of excuses why the paper form is needed to be kept on file so the card can be charged for each billing period, but all of them are baseless if the provider does their homework for alternative solutions.
- Stored paper forms present significant risk. Cleaning staff, vendors and trusted employees all have potential access to the data. A top reason cited for data breaches is, “it was easy”, and this tops them all.
- Businesses with up to 100 employees are at extremely high risk for identity theft.
Additionally, it’s just plain inefficient to manage billing by key entering the same card data over and over again.
MISTAKE 3: ENTERING DATA INTO COMPUTER SOFTWARE
Gathering the data digitally has the potential to be an excellent solution to paper methods.
- Do not allow payment data to be entered into a spreadsheet or other non-secured form.
- Is the payment application part of the private duty software, such that the software is in scope for PCI Compliance? Does the software need to be updated? Is the full card information ever available to users? The architecture of the solution strongly influences security. (Recall Target & Neiman Marcus data breaches).
- Entering the card data directly into a cloud payment solution that is segregated from the business application software provides the optimal security. (Users should still follow all other PCI procedures.
3 METHODS TO IMPROVE PCI COMPLIANCE WITH FIELD PERSONNEL:
- Encrypt data at the point of acceptance either with a secure swipe device or key entered.
- Directly enter payment data into a secure payment processing platform.
- Use tokenization. Tokenization replaces sensitive PAN (Primary Account Number) data with a unique identifier known as a token, which is useless to anyone who may intercept it.
How can the provider get a written authorization on paper, that is safe for the customer and safe for the provider? Contact us for a FREE Credit Card & ACH Authorization form make- over, that can be used in combination with safe, secure, PCI Compliant technology.