Is Your Patient Payment Information at Risk?
by Julanne Williams

If you are accepting credit cards for payment then the next question is, “Are you PCI Compliant?” PCI (Payment Card Industry) DSS (Data Security Standard), is a set of information security requirements enforced by major credit cards: American Express, Visa, MasterCard, Discover. By following these standards your company reduces the risk of credit card exposure.

The PCI Security Standard Council encourages all businesses that store payment account data to follow PCI DSS to lower financial risks. However, it is your responsibility to make sure that you are doing all that you can to ensure your customers’ payment card data is safe and that you’ve done everything to protect against breach.

In the past, companies could maintain customer/patient credit card payment information on digital or source documents.  Rules have changed however, regarding the storing of the source document, i.e., having all 12-16 digits of credit card revealed. Businesses are now required to reveal only the first six and last 4-digits of a customer’s credit card number on file. It is now the organization’s responsibility to update those files and redact the credit card number, or at a minimum – leave only the last four digits.

PCI DSS Requirements:

3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:

  • Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements
  • Processes for secure deletion of data when no longer needed
  • Specific retention requirements for cardholder data
  • A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.

3.1.b. Either a quarterly automatic or manual process is in place to identify and securely delete stored cardholder data.

3.3 Mask PAN (primary account number) when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.

*Per PCI DSS Requirements and Security Assessment Procedures Version 3.0  Nov. 2013

We Can Help Keep You PCI Compliant

Through a combination of Freedom’s OCR (optical character recognition) engine and Workflow (FreeWf) solution, we can process your digital or electronic documents through our OCR server and scour them for terms like  “credit card”, “Mastercard,” “Visa,” etc. Once those files are identified, Freedom places them in a work queue and those documents are now ready to have the credit card numbers redacted within Workflow.

To better satisfy PCI compliance recommendations regarding disposal policies, Freedom can set up parameters for automatically searching records on a regularly scheduled basis, i.e., quarterly. Once documents are identified based on pre-determined criteria then the stored cardholder data can be securely deleted – while maintaining the integrity of the source document.

Case Study

A laboratory customer contacted Freedom with the need to remain PCI DSS compliant – to pull out all of their billing documents that contained credit card information so they could redact those crucially sensitive 16-digits. Freedom accessed documents within their existing VFC (Virtual File Cabinet), processed them through the OCR server set to identify specific criteria fields (credit card, Mastercard, etc.) and then had those files placed in a work queue. The customer was then able to pull those sorted files up within Workflow, redact the credit card information and save the redacted document back into the system, leaving their source documents secure and now PCI compliant.

The customer had all the software in place – Freedom developed a new solution around the need for PCI compliance. So, with minimal effort your files too can be updated and PCI compliant – allowing you to rest easy knowing your patients’ crucial credit card information is secure.

For more information on how Freedom Imaging Systems can help your organization stay PCI compliant, call us at 734.327.5600, email: information@freeimage.com or visit us at freedomimagingsystems.com