Summary: Navigating Payment Card Industry (PCI) compliance is crucial for businesses, including orthodontic practices. Dental practices, like the healthcare industry as a whole, are at high risk for data breaches and face significant fines for noncompliance. While HIPAA covers patient medical records, it does not ensure PCI compliance, which focuses on protecting payment information, necessitating separate adherence to both sets of standards to safeguard sensitive data.

Key Takeaways:

  • Businesses must comply with PCI standards to avoid fines and mitigate risks associated with data breaches, separate from HIPAA compliance.
  • Orthodontic practices, as prime targets for cyberattacks, must employ rigorous security measures including PCI DSS’s 12-step checklist to protect payment data.
  • Noncompliance with PCI standards not only increases financial penalties but also intensifies the impact of any potential data breaches, making compliance vital for operational and financial security.
By Eric Cohen

Navigating Payment Card Industry (PCI) compliance requires annual surveys and scans, with potential fines ranging from $20 to $200 per month for noncompliance. Every business that accepts card payments needs to be PCI compliant to help protect customer data, and the business is held responsible for staying compliant and keeping up to date with PCI Data Security Standard (DSS). Like the healthcare industry at large, the collection of sensitive patient data in orthodontic practices makes them a prime target for increased fees and security breaches. Failure to comply with PCI standards can result in fines or restrictions.

HIPAA compliance does not equal PCI compliance

In the healthcare industry, business owners must also adhere to the Health Insurance Portability and Accountability Act (HIPAA) guidelines on top of their PCI requirements. HIPAA protects patients’ medical records and personal data but doesn’t cover payment information like PCI DSS does. HIPAA and PCI standards differ greatly, with different regulatory bodies overseeing them. So being HIPAA compliant doesn’t ensure PCI compliance, but both cover sensitive patient data and are important to keep up with. Healthcare is one of the biggest targets for cybercriminals and has the highest average cost of a data breach in the United States.

The risk of PCI noncompliance

Not being PCI compliant is a huge risk for businesses. Beyond the potential fines or other punishments, it amplifies the consequences of a breach if one occurs to a non-compliant merchant. It makes the merchant responsible for all costs of reissuing the affected cards and any fraudulent card charges. This could bankrupt the company and ruin its reputation.

Noncompliance is an added cost your practice doesn’t need

Orthodontic offices need to be proactive about their PCI compliance efforts. Since noncompliance will often show up on a merchant statement as an added fee, it not only increases the risk of fraud but also the business’s regular operating fee. Orthodontic offices should familiarize themselves with the PCI DSS 12-step checklist, which includes firewall configuration, encrypting cardholder data and monitoring all network access, among other requirements. Regular security checks for vulnerabilities are a great way to ensure your patient data is secure and will save money and lower risks in the long run. OP

This is Part 2 of a four-part series we will be bringing you in the coming weeks. Part 1 talked about how credit card processors overcharge 72% of businesses. Part 3 will discuss how to avoid unfair fees when your payment processor is embedded in your practice management software. And Part 4 will explain how practicing good payment processing hygiene can strengthen your practice’s valuation.

Eric Cohen is the CEO and founder of Merchant Advocate, which works with merchants, including private practice owners, to reduce credit card processing fees from the unregulated credit card industry without having to switch processors.