Date:
Saturday, October 12, 2013
Time:
11:00 am – 12:00 pm
Location:
The Walt Disney World Swan and Dolphin Resort, Southern Hemisphere Salon 4-5
Title:
Data Security and New Issues for HIPAA Compliance
ACPE # 207-000-13-104-L04-P
0.1 CEUs
ACPE # 207-000-13-104-L04-T
Activity Type:
Knowledge-based
Speaker:
Harry Lattanzio, RPh, President, PRS Pharmacy Services
Mark Wayne, Executive Vice President, ANXeBusiness Corp
Pharmacist Learning Objectives:
Upon completion of this activity, participants will be able to:
1.
Discuss PCI compliance and steps a business might have to take after discovering a breach of credit card
data security.
2.
Discuss changes to patient privacy and health data security in the HIPAA Omnibus rules.
Technician Learning Objectives:
Upon completion of this activity, participants will be able to:
1.
Discuss PCI compliance and steps a business might have to take after discovering a breach of credit card
data security.
2.
Discuss changes to patient privacy and health data security in the HIPAA Omnibus rules.
Disclosures:
Harry Lattanzio is the President of PRS Pharmacy Services. The conflict of interest was resolved by peer
review of the slide content.
Mark Wayne is the Executive Vice President of ANXeBusiness Corp. The conflict of interest was resolved
by peer review of the slide content.
NCPA’s education staff declares no conflicts of interest or financial interest in any product or service
mentioned in this program, including grants, employment, gifts, stock holdings, and honoraria.
The PCI Compliance Opportunity
Mark A. Wayne
Executive Vice President
Risk and Compliance
Disclosure
Mark
Wayne
is
the
Executive
Vice
President
of
ANXeBusiness Corp.
The
conflict
of
interest
was
resolved
by
peer
review
of
the
slide
content.
Learning
Objective
•
Discuss
PCI
compliance
and
steps
a
business
might
have
to
take
after
discovering
a
breach
WHAT IS PCI?
Q: What is PCI?
A:
The Payment Card Industry Data Security Standard (PCI
DSS) is a set of requirements designed to ensure that
ALL
companies that
process
,
store
or
transmit
credit card
information maintain a secure environment. Essentially any
merchant that has a Merchant ID (MID).
Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless
of size or number of transactions, that accepts, transmits or
stores any cardholder data.
PCI Compliance is a requirement for all merchants accepting cards
PCI ECOSYSTEM
PCI SSC –
Independent standards body providing oversight on the
development and management of PCI standards.
Founding Acceptance Brand Members
AMEX, Discover, VISA, JCB and MasterCard
Standards
PCI PTS – covers tamper detection, crypto process and mechanisms to
protect the pin. Requirements apply to POS hardware and
devices.
PA-DSS – applies to third party payment applications
PCI-DSS – applies to any entity that stores, processes, or transmits
cardholder data.
PCI TERMINOLOGY 101
Cardholder –
Customer purchasing goods either as a card
present or card not present transaction. The person that
receives the payment card and bills from the issuer.
Issuer –
Bank or other organization issuing a payment card
on behalf of a payment brand such as VISA. Payment brand
issuing a payment card directly such as AMEX.
Merchant –
Organization accepting the payment card for
payment during a purchase.
PCI TERMINOLOGY 101
Acquirer –
Bank or entity merchant uses to process their payment card
transactions.
Receive authorization request from Merchant and forward to Issuer for approval
Provide authorization, clearing and settlement services to Merchant
Also called – Merchant Bank, ISO, Payment Brand (NEVER VISA or MasterCard)
Responsible for merchant compliance –
ensure that their merchants understand
PCI DSS compliance requirements and track their efforts. Manage merchant
communications.
Work with merchants until full compliance has been validated. Merchants are not
compliant until all requirements have been met and validated. Acquirer is
responsible for providing Merchant compliance status to payment brands.
Incur any liability that may result from non-compliance with payment brand
compliance programs.
TIMING IS OF THE ESSENCE
Merchants are being held accountable
MERCHANT ACCOUNTABILITY
GENERAL MERCHANT PCI
REQUIREMENTS BY LEVEL
LEVEL CRITERIA On-Site Security Audit Self-Assessment Questionnaire Network Vulnerability Scan 1
Any merchant processing more than 6 million transactions per
year
Required
Annually Required Quarterly
2 Any merchant processing 1 to 6
million transactions per year Required Annually Required Quarterly
3 Any merchant processing 20,000 to 1 million transactions per year Required Annually Required Quarterly
4 All other merchants, not in Levels 1, 2 or 3 Required Annually Required Quarterly
PCI DSS – MERCHANT REQUIREMENTS
PCI DSS Requirement
Specific Actions Required - “Digital Dozen”
Build and Maintain a Secure
Network
1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder Data
3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability
Management Program
5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications
Implement Strong
Access Control Measures
7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain Information Security
Policy
12. Maintain a policy that addresses information securityLEVEL 2-4 SAQ REQUIREMENTS
Requirements vary by SAQ type
Type CRITERIA Secondary Criteria Requirement
Interval Work Effort
A No Card Present – on-line
only No previous breaches Annual
Minimal 13 questions B Connected via phone line or
“knuckle-buster”
No previous breaches
Annual Reasonable 31 questions C Connected via Internet No previous breaches , segmented
network, no stored credit cards Annual
Challenging 82 questions C-VT Only web-based terminals No previous breaches , segmented
network, no stored credit cards Annual
Challenging 82 questions D POS connected via Internet All other merchants and all service
providers Annual
Exhausting 291 questions PTPE Point to point encryption End to end encrypted POS Annual Under Construction