Data theft

01 January 2015
Volume 31 · Issue 1

Chris Davies explains how to protect your patients.

Changing habits and technological innovation are profoundly changing the way people make payments. Consumers
have come to see the benefits in alternative methods such as contactless and mobile payment. As a result, dentist practices need to consider how to accommodate shifting customer demands as more and more payment options become available.
The latest card expenditure statistics from the UK Card Association have shown that card spending amounted to £47.3bn in August, which was up £0.2bn above the level recorded in July. The report also mentions that there has been a persistent decline in the average transaction value over the last three years, which is a likely reflection of the growing number of low value cash payments via contactless or mobile.
One of the prime areas for development is the use of digital wallets stored as apps on smartphones. Although consumer adoption of this has so far been slow, the technology is expected to become ubiquitous among younger people, for whom using a smartphone is second nature. In the near future, this will potentially present you with a patient base that is highly engaged and ready to adopt new technology when it comes to alternative payment methods. Therefore, you will need to consider updating your card terminals in order to accept near-field communication technology which allows acceptance of contactless and mobile payments.
Although alternative payment methods such as contactless are quick and convenient, dental practices need to be aware of the complications that accepting any kind of electronic payment can bring. Card fraud and data theft are a growing problem. Fraudsters have become ever more sophisticated, and stories about criminals targeting both companies and individuals to obtain the sensitive information contained in credit and debit cards are becoming more frequent.
While cards carry obvious benefits, both practitioners and patients can often be unaware of the imminent danger of data theft and how valuable card data can be to criminals. Criminals have developed ever more sophisticated methods to gain access to cardholder details and other relevant data. It is therefore essential to be alert to card security to ensure that your payment systems are safe, in order to protect cardholder data when processing card payments.
This is where the Payment Card Industry Data Security Standard – or PCI DSS – steps in. The PCI DSS is a set of globally agreed compliance standards for any retailer or service provider who processes, stores or transmits cardholder data. It is designed to provide a framework for success in safeguarding patient data and minimising fraud.
For further details of what you can do to comply, go to the PCI Security Standards Council’s website. There you can find out why and how to become compliant with the security standards and how to make use of the services the council offers globally.
The principles of PCI DSS mean that small practices are held to the same security standards as large ones. This is important as it means that regardless of how a patient pays, their card information must be treated with the equivalent level of care, irrespective of the size of the establishment.
Research suggests that smaller businesses can be particularly exposed. Symantec’s 2014 Internet Security Threat Report has shown that 41 per cent of all targeted attacks were aimed at smaller businesses, namely those with less than 250 employees. With the help of the right software and products on terminals, you can safeguard your patient’s sensitive data against internet-based attacks.
The positive news is that compliance is usually inexpensive if undertaken correctly. If you fail to comply with PCI DSS requirements, you run the risk of being subject to a breach (a leak of data) resulting in large fines – starting at £10k. Of even greater concern is the reputational damage and impact on the loyalty of patients that can result from cards being compromised. This has been evident with the major retailers globally that have suffered from recent breaches, and experienced a serious reputational impact.
Likewise, practices need to be alert to the potential of fraudulent card use that can arise using stolen cards and data. Card processors can provide a checklist of steps to take if you are concerned about the authenticity of a card, such as calling the company for additional authorisation, or requesting proof of address if you are particularly suspicious. However, your processor will typically offer you protection should you be the victim of an individual paying with a stolen card.
At a time of heightened concern about card fraud and data theft, you need to urgently address how you achieve compliance with security standards in order to provide the best possible protection for both your patients and your own practice.