Case Study 2: Credit Card Payment System
Introduction and Primary Plan of Action
Creating a credit card payment system that is compliant with federal standards is not something that a physician should enter into lightly as there are various standards and requirements with which they must comply. This compliance ensures privacy of consumer data, consumer protection, as well as protection for the business from unauthorized access. In addressing the needs of the physician who has once again hired my services, I would first educate them on the various advantages and disadvantages of such a system, walk through the system requirements as outlined by the federal government, and then provide him with recommendations that would make the network compliant. All of this would be discussed before any action is taken and I would also provide a report written in laymen’s terms describing the needs, the process, price points, and a page for signed consent to move forward with the process.
Payment Card Industry (PCI) and Data Security Standards (DSS) advisement
As provided for the physician
The payment card industry (PCI) data security standards (DSS) were developed in order to enhance the security of cardholder data while also creating a standard level of security globally (PCI, 2010). When used in a PCI-compliant environment, payments made by debit and/or credit cards face much less risk at exposing private consumer data than when used in a non-PCI compliant environment while simultaneously offering security to the company processing the payment. There is a lot to take into consideration, however, when deciding to implement a credit card payment system (CCPS).
The first consideration is whether or not the payment data will be stored in-house or if a third party will manage it. Each method requires a different mode and level of security. In light of the fact that your business would be considered a Level 4 merchant under PCI Compliance because you complete fewer than 1 million single card transactions annually and/or fewer than 20,000 online transactions, I would recommend using a third-part to manage your data (PRWeb Newswire, 2009). In the present moment, you do not have the manpower or the resources to ensure compliance of data security and compliance with PCI/DSS and so it would be beneficial to use a service such as TrustKeeper 3.0 in order to perform daily inspections of stored data, firewalls, anti-virus software, and file integrity (PRWeb Newswire, 2009). By employing the use of such software, you provide an added sense of peace to your business and are better able to focus on servicing your patients without the added threat of their confidential information being attacked at any moment. My first recommendation would be to look over and strongly consider the benefits TrustKeeper 3.0 has to offer and make a decision on whether or not you would like to use it (I highly recommend going this route). Your other option would be to host the data in-house. This method requires hiring a trained, in-house, technology specialist who is not only versed in the area of network management but also in the area of financial point of sale systems, PCI/DSS compliance, and how to configure and maintain a system that is in compliance with federal standards. This can become costly as this individual would need to be full time and may require a team of additional individuals in order to ensure around-the-clock monitoring of your system.
The second consideration to undertake is the use of firewalls and data encryption. Even though an outside company will be handling the storage of your data, you will want to ensure that the transmission of the data from your office to the third party is secure and undetected by an outside party. In addition, you want to ensure that even if an unauthorized party is able to gain access to the information that they will not be able to use it. The first step to ensuring that this information is not intercepted is by creating and maintaining a secure network firewall that filters and monitors incoming and outgoing network traffic. These firewalls should limit inbound traffic to the payment card system, should not permit unauthorized outbound traffic, should deny direct connection between the internet and the cardholder data system, should not disclose personal IP addresses, and should be installed on any personal/private devices used by any employee of the organization (PCI, 2010). In conjunction with all of the above, the encryption used to protect consumer data should employ the use of resilient cryptography and security protocols, should ensure that wireless networks through which data is sent is encrypted according to industry best practices, and that permanent account numbers (PAN) are never sent unprotected through email, text messages, etc. These security measures ensure that consumer data is protected and unauthorized access to your payment network is not granted to outside parties.
The third, and final, initial consideration to undertake is that of the antivirus program you plan to use. While the program currently in place is great for scanning every day correspondence, and ensuring that your system is not overtaken by malware, you will want to purchase and anti-virus software that detects not only Trojans, worms, and malware but also that identifies and removes adware, spyware, and rootkits, while also detecting breach attempts and attempts at unauthorized access (PCI, 2010). Also, as with the firewalls and encryption methods, you will want to ensure that this software is installed and activated on any private system that is used by an employee to perform company business. An inexpensive, yet efficient effective, anti-virus program that can be used is Trend Micro Titanium. This software not only detects for the aforementioned threats but also hosts a running log of scans, detections, and removals (which is needed for audit) and provides a web filter which makes it much more different to happen upon harmful websites (Rietta, 2014). This type of anti-virus software is sufficient for your small business but powerful enough to keep you out of harm’s way while providing added protection for your clients’ data.
Even with all of the above in place, there are various other security standards that must be adhered to in order to be in compliance with PCI/DSS according to PCI (2010). Those standards include, but are not limited to, the following:
Guarantee a current and secure system by installing all software patches and upgrades
Establish an identification and ranking system for network vulnerabilities and threats.
Restrict cardholder data on a need to know businesses basis
This includes employees and third parties
Assign rights and authorization access according to user IDs
Ensure removal of authorization and account upon termination of employment/contract
Ensure authenticity of authorized parties
Create and maintain unique user IDs
Enforce strong password combinations through the use of an 7+ character password that includes all of the following:
1 capital letter
1 symbol (such as &, #, =, or +)
Does not include any portion of the users name
Require a change of password every 60-90 days
Require reentry of password after an idle phase (15 minutes or less)
Require two-step authentication processes for remote access
Restrict physical access to cardholder data
All of these security requirements allow for an optimal environment in which to host a payment card system, but only if it is actively monitored. The enforcement of a few simple procedures can lead to the securement of a significant amount of data and the savings of a significant amount of money for any company. By ensuring these standards are in place on the front end, as well as hosting monthly staff trainings on required tasks, duties, and expectations, you are not only setting yourself up for compliance but are also creating a culture of responsibility, efficiency, and client safety.
A payment card system has the potential to provide ease and efficiency in completing business transactions to both you and your customers if implemented correctly. PCI-compliance is a great place to start in terms of providing a safe and secure mode of payment for your customers, but it should not be the place that you stop in order to provide your customers with the highest standard of service, as it is just the starting place. It is my recommendation that you seriously considering hiring an outside company and incorporating the use of a third-party software to host secure cardholder data, employ the use of strong firewalls and encryption, and install a comprehensive, automatic anti-virus software that detects issues within the system as well as potential threats on the web. In addition to all of this, I recommend a solid security plan that outlines the expectations of employees as it pertains to passwords, user IDs, data security, confidentiality, and required authentication processes. Though seemingly time consuming on the front end, the time and money saved in the long run is well worth the up-front effort.
PCI Security Standards Council, LLC. (2010). PCI DSS requirements and security assessments procedures (2.0). Retrieved from: https://learn.umuc.edu/d2l/le/content/47852/viewContent/2363939/View
PRWeb Newswire. (18 December 2009). Element payment services partners with trustwave for level 4 PCI DSS compliance program. Business Insights: Essentials. Retrieved from: http://bi.galegroup.com.ezproxy.umuc.edu/essentials/article/GALE%7CA222821771/fba5f6a2d2e80822af5a8451c548af53?u=umd_umuc
Rietta, F. (2014). Anti-virus for mac PCI compliance. The Rietta Blog [Weblog]. Retrieved from: https://rietta.com/blog/2014/01/23/anti-virus-for-mac-for-pci-compliance/