By Jeff Holt, VP, Senior Healthcare Business Banker with PNC Bank
Is your practice prepared for processing chip cards from your patients starting this October, 2015? We are now beyond the deadline and still many dental practices have not yet upgraded their equipment and software to the new improved EMV technology.
It is important for all dental practices to understand the history of how and why this technology has evolved, and then to consider what is best for your patients and practice before properly implementing and utilizing EMV technologies.
A chip card enhances card security for electronic payments when inserted in the chip card reader (not swiped) of a chip-enabled terminal. The chip generates a unique transaction code, which is shared with the merchant, instead of your card information. This makes the card difficult to copy. Your chip card provides an additional layer of security at chip-enabled terminals; however, perpetrators continue to look for new opportunities to commit fraud.
Starting in October 2015, financial liability for card-present counterfeit card losses will shift from the card-issuing banks to merchants if merchants receive chip-enabled cards but have not yet installed chip card capable terminals. This liability shift will apply to all merchants, regardless of size. As a card processor, your medical practice will need to ensure your point-of-sale (POS) system is capable of accepting chip cards due to this fraud liability shift. Now is the perfect time to review your processing needs, and upgrade to a chip card capable system.
“For healthcare professionals, the need to protect patient information goes beyond desire – HIPAA / FIPA compliance, regulations, and reputation demands it,” explains Dylan Floyd, regional account executive with PNC Merchant Services. “EMV utilizes a European-based chip and pin technology that has decreased fraud by over 90 percent worldwide for face-to-face transactions.”
BY THE NUMBERS
Let us first cover some of the staggering statistics that will show you why this technology came to be needed:
- The total cost of fraud in the U.S. is estimated at $8.6 billion per year, according to an Aite Group report from 2010; so preventing fraud growth is of the upmost importance.
- A recent USA Today article ranked Florida as the #1 state in the U.S. for number of identity theft complaints, with the average amount paid of $2,104.
- An analysis by Visa® found that small merchants account for more than 80 percent of data security breaches.
- Major insurance companies like, AIG and Great American, proclaim that the average cost of a data breach in 2012 was more than $38,000.
- And security experts affirm that the sale of credit card information is still thriving on the black market.
In the end, security breaches may not only expose your practice to fines from bank regulators and the card associations, but they also can rob you of your patient’s trust.
How could your Practice be Financially at Risk when Non-Compliant?
A data breach can already have a very negative impact on your practice and your patients, but a breach while out of compliance could result in card association fees and penalties up to $10,000 per occurrence and $500,000 in total; monthly non-compliance fees; damage to the reputation of your practice; and worst case scenario – be possibly driven out of business.
“Non-compliance with PCI-DSS requirements provides banks and the credit card companies the means to recoup lost funds, as well as levy penalties,” said Tatiana Melnik, a healthcare attorney based in Tampa. “But losing the trust of your patients could have a greater negative financial impact on the practice than the fines.”
When considering the unfortunate possible combination of both the fines and loss of patient trust, the resulting total financial impact could be difficult to recover from. So how should your practice prepare for implementation? Initially, identify all credit card collection points and systems used by your organization and talk to your merchant services provider to understand their strategy for chip cards. Then, assess your practice’s potential risks based on credit card volumes, current fraud experience and areas of potential exposure.
This process could require an initial investment, so you need to budget for new credit terminals and/or system upgrades, as well as training for your staff.
If your practice was unable to meet the October 2015 deadline, you may want to investigate whether potential losses due to fraudulent card transactions will be covered by corporate insurance policies.
Basic Payment Card Industry Data Security Standard (PCI DSS) data security requirements should still be implemented for security and compliance reasons. Twice a year, complete a PCI DSS Self-Assessment Questionnaire (SAQ) to self-evaluate your compliance with PCI DSS. (Visit https://www.pcisecuritystandards.org/ to learn more about what you need to do to become PCI compliant).
Please ask your healthcare business banker for assistance to get your practice in the best possible position to be EMV compliant at all times.
Jeff Holt is a Senior Healthcare Business Banker with PNC Bank’s Healthcare Business Banking and can be reached at (352) 385-3800 or Jeffrey.firstname.lastname@example.org.