Payment card industry noncompliance risk: Data breaches and loss in revenue

The shift from the Payment Card Industry (PCI) data security standard (DSS) version 3.2.1 to PCI DSS version 4.0 represents a major change in how organizations manage payment card security. With full implementation required by March of 2025, dental practices that handle credit card information must act swiftly to understand and comply with the new standards.

A 2023 study highlighted a concerning trend, which is that many organizations lack a thorough understanding of PCI DSS version 4.0 requirements.¹ Some have not even begun implementing the necessary changes, which could lead to compliance issues, increased risk of data breaches, and potential fines as the deadline approaches.¹ This is especially alarming since the health care sector is a prime target for bad actors looking to collect sensitive patient data; in the US, attacks against the health care sector were up 128%, with 258 victims in 2023 and 113 in 2022.²

To ensure dental practices save money from the effects of a data breach, they must safeguard all aspects of patient data by fully understanding the latest PCI DSS version 4.0. These standards are designed to build and maintain secure networks and systems, protect stored and transmitted account data with strong cryptography, and uphold a vulnerability management program that shields all systems from malicious software.

PCI DSS also emphasizes the importance of implementing strong access control measures by restricting access to system components and cardholder data, identifying and authenticating users, and ensuring that physical access to cardholder data is tightly controlled. New self-assessment guidelines and questionnaires (SAQs) have been updated to align with PCI DSS version 4.0, reflecting these new requirements. Regular monitoring and testing of networks-alongside supporting information security with organizational policies and programs-are key components of PCI DSS compliance.

Changes in self-assessment questionnaires (SAQs)

With the transition to PCI DSS version 4.0, the SAQs have been revised to align more closely with the updated requirements. The wording in SAQs now mirrors language used in the PCI security standards-and the reporting responses more thoroughly meet the security needs of the payment card industry. These additional requirements are currently considered best practices but will become mandatory by March 31, 2025.³

PCI compliance vs. HIPAA compliance

It's crucial to understand that Health Insurance Portability and Accountability Act (HIPAA) compliance does not ensure PCI compliance. While HIPAA protects patients' medical records and personal data, it does not cover payment information, which is the focus of PCI compliance.

Understanding PCI compliance

PCI compliance is not a one-time task, but a continuous process aimed at increasing consumer protection against cyber threats through a set of 12 requirements. This includes using firewalls, installing password protection, encrypting transmitted cardholder data, and more.

Consequences of noncompliance

Although PCI compliance isn't mandated by law, failing to comply with PCI DSS version 4.0 can result in investigations, fines, and penalties, especially if a data breach occurs after the new standard becomes mandatory. For example, noncompliance with PCI standards can result in fines ranging from $20 to $5,000-plus per month depending on the details of the noncompliance and breach.³

Noncompliance significantly increases the financial and reputational damage after a breach, as card issuers may require merchants to pay the cost of reissuing affected credit cards and covering fraudulent charges. If preventive measures aren't taken, a company may lose its reputation or go bankrupt.

Fines will also be tacked onto a merchant statement as an additional fee, increasing the business' regular operating expenses. This only adds to the ever-growing problem of rising fees. Currently, credit card processors overcharge 72% of businesses, negatively impacting their revenue stream. The lack of regulation and oversight in the payment processing sector has led to a steady increase in these processing fees.

In 2023, merchants collectively paid $172 billion in processing fees, an increase of more than 7.5% compared to 2022.⁴ While some fees are inevitable, others can be negotiated or completely avoided, making it essential to know how to spot them on statements or to work with a third party who can negotiate the fees on behalf of the dental practice.

The shift to PCI DSS version 4.0 requires immediate and sustained efforts from organizations to understand, implement, and maintain the new standards. Maintaining PCI compliance is an ongoing effort that protects consumers, streamlines operations, and shields businesses from severe financial and reputational damage. This proactive approach enhances security and safeguards against potential financial and reputational damage.

References

1. The state of enterprise readiness for PCI DSS 4.0. Bluefin. August 2023. https://www.bluefin.com/resources/white-papers/pci-dss-4-0/

2. Ransomware attacks surge in 2023; Attacks on healthcare sector nearly double. The Cyber Threat Intelligence Integration Center. February 2024. https://www.dni.gov/files/CTIIC/documents/products/Ransomware_Attacks_Surge_in_2023.pdf'

3. Malone A. PCI DSS v4: What's new with self-assessment questionnaires. PCI Security Standards Council. https://blog.pcisecuritystandards.org/pci-dss-v4-whats-new-with-self-assessment-questionnaires

4. Dizon AL, Herrera A. PCI non-compliance fee: What it is & how to avoid it. Fit Small Business. September 2023. https://fitsmallbusiness.com/pci-non-compliance-fee/