How can community pharmacy be PCI DSS compliant?
How can community pharmacy be PCI DSS compliant?
Being compliant with PCI DSS isn’t a one-off job it’s something businesses need to continuously do.
The steps you should take to become compliant will depend on the size and complexity of your business. These are the general steps all businesses should take to make sure they are compliant. This should be an annual process.
- Identify your PCI DSS level
These are based on how many card transactions you take:
Level 1 – over 6 million transactions annually
Level 2 – between 1 million and 6 million transactions annually
Level 3 – between 20,000 and 1 million transactions annually
Level 4 – less than 20,000 transactions annually
2. Perform a gap analysis
A gap analysis is where you compare how your business currently keeps card payment information secure with the PCI Security Standards for keeping the data secure. You should make a note of anywhere your business doesn’t meet the standards as you will need to address these in order to be compliant.
3. Complete the Self-Assessment Questionnaire
There are lots of different types but there is guidance on which version to complete on the PCI DSS Security Standards Council website
4. Engage a Qualified Security Assessor (QSA)
This is for larger businesses or business that have breached PCI DSS in the past. (PCI DSS Level 1). A QSA is a security professional certified by the PCI Security Standards Council and they will audit you business process and make recommendations
5. Address any gaps
Make sure you address any areas of non-compliance
There are also tasks that should be done within the business to ensure compliance.
Staff training
All staff should be trained in how to take card payments and how to protect customer data. They should also be trained in IT security. This training should be completed annually for all staff. The Mandatory training page on the NumarkNet training platform has modules to assist with this.
IT security
Make sure all users have their own log ins for systems and that they have strong passwords for their accounts. This also applies for systems such as business Wi-Fi. Be vigilant for visitors to the business claiming to be working on IT or card payment systems.
Card payment devices sometimes known as process data quickly (PDQ) devices
Make sure the machine is sited and secured by the till in plain sight and within reach of customers who wish to pay by card. These devices should be inspected regularly for signs of tampering. The inspection should include:
· Keyboard: Inspect for any overlays, such as additional keys atop the existing ones. Look for any keys that don't match or are absent.
· Card slot: Ensure it is unobstructed. Is the swipe path visible? Does anything appear out of the ordinary?
· Consideration: Have there been an increase in the number of transactions being declined recently?
· Check for any visible external wires or screws that are absent.
· Anything that seems unusual.
You should document the inspections in case of a PCI DSS audit. You should include the date of the inspection, the person that carried out the inspection, any problems identified and how they are to be rectified.
Secure storage of payment details
Any customer data should be stored securely and payment details are no exception. Computerised systems should follow IT security guidelines and any physical card data e.g. merchant PDQ receipts should be stored securely e.g. in a locked box and shredded once the business no longer needs them. It is recommended to keep physical merchant PDQ for a minimum of 2 months but your merchant services agreement (the contract with your card payment services provider) may specify a different length of time you should keep them for.