Acceptance of credit and debit cards is absolutely necessary for the modern independent pharmacy. However, credit cards can represent a major liability for the holder of the merchant account. Strong security measures are available, but pharmacies must implement them properly.
Scope of the Problem
Small businesses are the preferred target for sophisticated criminal hacks. Often, hacks take the form of planting malicious code on systems and then collecting large packets of sensitive data. Larger operations, after the high-profile data breaches in the last few years, have buttressed their security. Naturally, cybercriminals have gravitated to smaller merchants, where security is often weaker. That’s bad news for independent pharmacies. A recent survey by Fortinet revealed that nearly two-thirds of consumers held merchants responsible for data breaches and that 60% of small operations suffering a data breach are out of business within six months. To protect their businesses and their customers, pharmacies must understand these key security concepts…
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for those handling credit cards from the major card brands. The standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council (PCI SSC). The standard increases controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually by Self-Assessment Questionnaire (SAQ) for companies handling smaller credit card processing volumes. Learn more about PCI requirements at www.pcisecuritystandards.org.
EMV – a microprocessor or ‘smart chip’ – is a fraud-reducing technology that protects against losses from the use of counterfeit cards. EMV cards generate a new code for every transaction, making the card virtually impossible to counterfeit and re-use. With the new technology, the payments industry has instituted a liability shift in which the party in the payments chain not enabling EMV will be considered responsible if fraud occurs. This means, in the simplest terms, that if a pharmacy had EMV acceptance options available and chose to not implement them, then the pharmacy can be held liable for losses incurred if a data breach occurs.
PCI DSS and EMV have decreased the incidence of payment card fraud but, as alluded to earlier, the smallest businesses are those with the least sophisticated security measures. These small businesses –those accepting up to one million card-present transactions annually – are referred to as “Level 4” merchants. Because criminals continue to target the easiest prey, effective January 31, 2017, the PCI SSC will require all Level 4 merchants to have their payment applications and terminals installed by a PCI-certified Qualified Integrator and Reseller (QIR) professional. Learn more about QIR at www.pcisecuritystandards.org/assessors_and_solutions/qualified_integrators_and_resellers.