Each year, approximately 17 million Americans become victims of identity theft, and those numbers only continue to grow, according to the Bureau of Justice Statistics. The theft of information from payment cards (an umbrella term that covers debit, credit and prepaid cards) is one of the most prevalent, and costly, forms of identity crime.
You may think your independent community pharmacy is immune to identity theft, but hackers often target small businesses first because of their relaxed policies or inexperience with identity protection. If you accept payment cards, you may not know you’re putting your customers at risk until it’s too late.
Better protection
In 2006, five of the world’s largest payment brands— American Express®, Discover®, JCB International®, MasterCard® and Visa®—created a standard to protect confidential cardholder data: the Payment Card Industry Data Security Standard (PCI DSS).
The PCI DSS consists of common sense steps that mirror security best practices. It includes best practices on everything from password strength to point-of-sale payment systems and firewalls. And all businesses that store, process or submit cardholder data are required to comply with it. This includes businesses that outsource their payment card processing.
“The PCI DSS gives pharmacies a baseline of security measures they can put in place in their everyday business practices to help them protect their customers’ payment card data,” said Bob Russo, general manager of the Payment Card Industry Security Standards Council, the organization responsible for managing the PCI DSS.
Because the PCI DSS covers many facets of data security, Russo recommends working directly with acquirers and payment card brands to best understand and implement the guidelines. Keep in mind that each payment card brand has specific requirements for compliance validation.
Pharmacies should definitely lean on their acquiring banks for help in understanding the requirements and how they can ensure they’re taking the steps they need to secure their payment card data,” Russo said.
Security pitfalls
You might be wondering why you should care about PCI compliance when patient information is already protected under HIPAA compliance. While the Health Insurance Portability and Accountability Act (HIPAA) contains extensive requirements for your patients’ health information, it gives zero consideration to the privacy of their financial information. So health care providers like your pharmacy must meet both HIPAA and PCI compliance.
The repercussions of noncompliance with PCI DSS can be catastrophic if a security lapse occurs.
“This can have disastrous effects on a business and damage its reputation for years to come, not to mention the financial impact of legal costs and potential fines associated with a breach,” Russo said.
For evidence, look no further than the Target hack of 2013, which cost the retailer nearly $150 million (and counting) in damage control and nearly half of its expected revenue in the following fiscal quarter.
While your pharmacy isn’t a huge corporation like Target, you stand to lose just as much without proper security. But by continually working to comply with the PCI DSS, you can safeguard your business.
Getting started
Achieving compliance with the PCI DSS is a continuous process that includes everything from creating a secure network to choosing approved vendors, but you can take small steps today that go a long way towards safeguarding customer information. Some are as simple as improving the complexity of your passwords.
“If not updated from the default or if passwords are too simple, it can make it easy for data thieves to break in,” Russo said. “And we all know the low-hanging fruit always gets tapped first.”
“It is important to remember that the real focus should be security, not compliance. Good security leads to compliance,” he said.
The best way to ensure the safety of your customers and your business is by emphasizing constant vigilance instead of relying on PCI compliance, which is just a snapshot in time.
“Security is a 24-hours-a-day, 7-days-a-week, 365-days-a-year effort,” Russo said. “And just like a lock is no good if you forget to lock it, PCI DSS controls are only effective if they are implemented properly and as part of an everyday, ongoing business process.”
A quick start to protecting customers’ card data
- Buy and use only approved PIN entry devices at POS.
- Buy and use only validated payment software at POS.
- Make sure your payment systems are installed properly and securely by using PCI-qualified personnel.
- Do not store any sensitive cardholder data in computers or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords. Be sure to change default passwords on hardware and software.
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
The Payment Card Industry Security Standards Council offers helpful information to help you understand the PCI DSS, including a quick reference guide on PCI compliance, self- assessment forms and more at www.pcisecuritystandards.org.
Related articles:
Why (and How to) Strengthen Your Pharmacy Passwords
10 Tips to Prevent Internal Theft in the Pharmacy
10 Pharmacy Crime Prevention Tips
