PCI-DSS — A short acronym for a long journey — Part 3
So you think having an approved scanning vendor (ADV) scan a couple of your external IP’s 4 times a year for a bundled cost of $189.00/year, and attesting to a questionnaire means you are PCI-DSS compliant? Think again.
The goal is to complete due diligence to ensure a secure network and organization at all levels against all kinds of threats. Complete your assessment as discussed in Part 2 of this blog article (http://parkplaceintl.com/blog/pci-dss-short-acronym-long-journey-part-2/). You may be surprised (not pleasantly) at all of the credit card transactions that occur across your organization and what data is actually leaving the organization. There are self-assessment questionnaires that are available free of cost on the PCI DSS website: https://www.pcisecuritystandards.org/. Gather information on the approximate number of transactions you have annually. This will help you determine what level category you fall under (A, B, C, C-VT or D). Maybe you are a small office and can easily show compliance. Cash only!! Who carries checkbooks these days anyway? You must be a really good healthcare provider if all your patients are willing to pay you cash only!! Nice!! OK, back to reality.
The wealth of information out there on the PCI-DSS website will blow your mind. If you are overwhelmed, put together a focus team that consists of the right players: compliance, technical security, and/or network and security engineers. Let them do an assessment. Maybe you are too small a shop to be able to get this done. Hire a Qualified Security Assessor (QSA). QSAs approved by the PCI-DSS council can be found on this site https://www.pcisecuritystandards.org/approved_companies_providers/index.php. A QSA is very well qualified to assess your network and provide feedback, help you determine a network design, or recommend changes that can then be implemented as part of a project. They can help by looking at your inventory and identifying what hardware/software needs to be upgraded. Although Park Place is not a QSA, we have very well-qualified, experienced network and security engineers and technical consultants available to help customers with network assessments.
As a healthcare provider with paying customers, you recognize the importance of achieving PCI-DSS compliance. All compliance standards - be it HIPAA, PCI-DSS, ISO, NIST - lead to Rome. However, the PCI-DSS standards have more depth and a little bit more clarity, and compliance can result in a more secure network. In today’s world hackers are targeting your data for financial gains, glory, or for the heck of it. You are in the business of providing a service, and data security is critically important when it comes to Protected Health Information (PHI) or Personally Identifiable Information (PII). Protect the data you are responsible for.
Ashini Surati is the Security and Compliance Manager at Park Place International. She has been working in the healthcare security and compliance realm for the past decade. Her passion is to ensure customers understand and comply with regulations and maintain a secure, compliant environment.