ADA News

There's a new standard for businesses who accept credit cards to help them protect patients' financial information from theft, but many dentists are unaware it exists and may find it hard to understand.

The new standard is not a law but a set of security practices agreed upon by Payment Card Industry Standards Council members and applied to merchants through their agreements with their credit card provider. PCISC was created by the five major credit card networks—American Express, Discover, JCB, MasterCard Worldwide and Visa Inc.

They have established a standard for organizations that accept and process credit cards, including lesser requirements for what small businesses, where most dental practices would fall, should do to keep their customers' payment information secure. The Payment Card Industry Data Security Standard (PCI DSS) is a list of 12 requirements that includes installing and maintaining a protective firewall, using anti-virus software and encrypting the transmission of cardholder data, among others.

"We need to be aware of the devastating effects of credit card fraud. As health professionals we instinctively protect the identities of our patients. As business people we need to help protect their financial information as well," said Dr. Jake DeSnyder, chair of the Council on Dental Practice.

The PCI council recommends that dentists complete a self-assessment questionnaire to prove they are complying with the regulations.

Verizon Business, a company hired to investigate major corporate security breaches, conducted a study last year and found that in 81 percent of the cases it investigated the victims were not PCI-compliant. The company dug into 90 breaches where 285 million records were compromised, according to the study, titled 2009 Data Breach Investigations Report.

Many dentists are unaware the compliance standard exists and are frustrated to have to worry about another issue related to their business, said Arthur Meisel, executive director of the New Jersey Dental Association.

"It's just one more item that you have to comply with that's a pain in the neck, when the dentists just want to practice dentistry," Mr. Meisel said.

The ADA's goal is to inform members that the standard exists and educate them about how they can comply, said Dr. DeSnyder.

"The forms use credit card industry jargon and could be complicated for dentists or their staff to understand," said Dr. Michael Halasz, member of the Council on Dental Practice.

Some New Jersey dentists have had to pay fines for not filling out the questionnaire, Mr. Meisel said. The fines differed depending on the credit card processor and have ranged from a monthly billing statement charge of about $10 to a one-time, presumably annual, fee of around $300, he added.

According to Mr. Meisel, the NJDA's endorsed processing company, Health Card Systems, has notified the group that dentists will be charged an additional fee if they fail to complete the questionnaire. Beginning Jan. 1, Health Card Systems began charging a monthly fee of $8.95 to the members of the NJDA who did not complete the self-assessment questionnaire. It's his understanding that Health Card uses the fee to buy insurance to provide coverage in the event a claim is made against a non-PCI compliant vendor, he said.

Dr. DeSnyder encourages all ADA members to contact their credit card processor to learn about possible penalties or fees.

Chase Paymentech, a credit card processing company that ADA Business Resources and 16 constituent dental societies endorse, requires all of its merchants to comply with the standard. Unlike some other providers, Chase Paymentech does not charge any annual or monthly fees to assist members with PCI compliance.

For more information, members can reach Chase Paymentech at 1-800-618-1666 or on the Web at www.chasepaymentechsales.com. To find out more about the PCI standard, visit www.pcisecuritystandards.org.