Townsend Security Data Privacy Blog

Outsourcing Credit Cards? You Still Need to Be PCI Compliant

Posted by Kristie Edwards on Sep 17, 2012 8:32:00 AM

Encryption and Key ManagementAt Townsend Security we get all kinds of questions about PCI Compliance. A question we get asked frequently by healthcare professionals is:

As a medical healthcare provider, we accept payments via check or credit card through Point of Sale devices implemented by a third-party vendor. Are we responsible to comply with PCI DSS requirements?

Many people assume that if they use a third-party vendor, the vendor must be the one to comply with PCI DSS. Our CEO Patrick Townsend, has a different take on this subject. I asked Patrick if he could answer some of the common questions asked by healthcare providers concerned about PCI DSS compliance requirements.

Are we (healthcare providers) responsible for complying with PCI DSS?

Yes, every Merchant is responsible for PCI DSS compliance even if using an outsourced service. However, this type of arrangement can greatly reduce the amount of work that the Merchant has to do. Usually you will only need to complete and sign a Self Assessment Questionnaire (SAQ). You would get this from your outsourced authorization provider.

Okay, but if we do need to be concerned with PCI compliance, how is the PCI DSS processed managed?  Does the IT team tackle this? Our compliance team?

Typically the IT department takes the lead on coordinating any work that has to be done for PCI DSS. This might include things such as a vulnerability scan by an approved scan provider and similar types of tasks. An officer or director then reviews and signs the SAQ and letter. In medical organizations the Compliance Officer is typically more involved with various medical industry compliance requirements related to HIPAA and so forth and usually not involved with PCI DSS. But it never hurts to ask.

What about banks that process our clients’ credit card information?  What kind of reporting should we be getting from our bank confirming that they are compliant or following PCI DSS compliance?

Banks are under a different type of compliance requirement for PCI. You should just ask them for a letter assuring you that they meet all PCI data security requirements as an authorization provider.

Sometimes PCI compliance can be confusing. Hopefully, thanks to Patrick, you may now have a better understanding of PCI compliance and how you can outsource credit card information while remaining PCI DSS compliant. If you have questions about PCI compliance, send me an email at kristie.edwards@townsendsecurity.

If you want to learn more about PCI compliance and how Townsend Security can assist with the process, listen to Patrick speak about current best practices and encryption key management in the webinar, “Key Management Best Practices: What New PCI Regulations Say.”

PCI DSS & Key Management

Topics: PCI DSS, Best Practices, Healthcare