Dara Security

A Business Case for Retaining Credit Card Numbers

May 29, 2014

One of the benefits of my job is talking with a variety of people, merchants and customers alike, and discussing how merchants are growing their businesses and what customer expectations are. On my latest trip, I spoke with a number of doctors running their own practices. What I discovered is cash flow is king, and guaranteeing cash flow overrides the risk of retaining credit card data.

Why Retaining Credit Card Numbers Matters

Retaining credit card numbers establishes a payment method for patients. If payments can simply be charged to the credit card data on file, the doctor's office does not have to spend resources chasing down delinquent payments. Storing credit card numbers also allows co-payments to be easily charged in the case when a child visits the doctor without a parent.

The general thinking is that doctors' offices already store patient information securely according to HIPAA rules, so adding credit card data to the list will have minimal impact on office resources. However, unlike with HIPAA related data, the handling of credit card data must be reported.

Credit Card Data Comes With Some Protection

Credit card data is covered by a separate standard known as the Payment Card Industry Data Security Standard (PCI DSS). Any business handling credit card data is required to report this activity to their merchant service provider. If the credit card data is stored or retained, the extent of what must be reported increases greatly as well as the technical requirements for securing the data.

Retaining Credit Card Numbers Within Requirements

Fortunately, there are ways of retaining credit card numbers that will not impact a medical practice's existing PCI DSS requirements. First and foremost, one should never retain the card validation code. The retention of this code is a criminal offence by Visa and Mastercard and can result in the loss of the ability to accept credit cards for payment. Second, one should inquire with their merchant service provider if they support a virtual terminal to manage retaining credit card numbers.

A virtual terminal is a web-based application that is accessed by a web browser. Office staff can enter credit card data into the virtual terminal just as they would with a hardware payment terminal (POS) located in the office. The credit card data is not stored in the office but within the merchant service provider's network, allowing for future or recurring payments. By utilizing a virtual terminal that supports storage, the medical practice establishes a recurring payment method and reduces the PCI DSS impact on their practice. Another advantage of using a virtual terminal is that credit card transaction fees may decrease. However, one critical requirement is that the medical practice must ensure that the virtual terminal service offered by the merchant servicer is PCI DSS compliant.

Advice On Retaining Credit Card Numbers

I want to round out this discussion with a bit of advice for patients of a medical practice who is actively retaining credit card numbers. It is your credit card data, and the security of your data is something you should take seriously. Too many simple mistakes have resulted in breaches that could have been easily avoided. Just as you should be concerned with how your doctor safeguards your medical information, you should ask your doctor's office how they handle and secure your credit card data. They are required to secure it not just by the payment card industry but in many cases, by state law as well.