New credit card security standards set for release Nov. 7
The Payment Card Industry Security Standards Council (PCI SSC) will release the latest version of the PCI Data Security Standards (PCI DSS) Nov. 7 to help companies, including dental practices, improve credit card payment security.
The PCI DSS is not a law but a set of security best practices agreed upon by PCI SSC members and applied to merchants through their agreements with their credit card provider. The PCI SSC was created in 2006 by the five major credit card networks—American Express, Discover, JCB, MasterCard Worldwide and Visa Inc.
The phased-in implementation of the PCI DSS version 3.0 will begin Jan. 1, 2014, with all new requirements to be mandatory by July 1, 2015.
The updated standards should have minimal impact to most dental practices as many, through their technology provider, are already utilizing best practices to ensure patients' payment information is protected, said David Wallace, vice president of Global Merchant Compliance for Chase Paymentech, the only credit and debit card processor endorsed by ADA Business Resources.
However, dentists should reach out to their service provider to make sure they are aware and actively working to keep up with new standards.
The PCI DSS is a list of 12 requirements that includes installing and maintaining a protective firewall and using antivirus software and encrypting the transmission of cardholder data.
Among the new standards expected in the final version of the latest PCI DSS is maintaining a security policy between dental practices and service providers—to ensure both parties know their responsibilities when it comes to protecting payment information.
Other expected updates include restricting physical access to the point-of-sale terminal, restricting access to cardholder data and requiring passwords to be at least seven alphanumeric characters.
Key drivers for version 3.0 updates, according to the council, include: lack of education and awareness; weak passwords and authentication challenges; third-party security challenges; slow self-detection in response to malware and other threats; and inconsistency in assessments.
PCI standards have lifecycles of three years to ensure they adapt to the ever-changing threat of those seeking to commit credit card fraud and developing new attacks to circumvent merchants' defenses.
"We want to make sure the standard remains relevant and continues to promote better security and protection to the people who use it," Mr. Wallace said.
The three-year lifecycle of version 3.0 ends Dec. 31, 2016.
For more information about Chase Paymentech, visit bestpaymentprocessing.com/ada or call 1-800-618-1666.