What is PCI Compliance in Healthcare?
PCI compliance in healthcare means securing payment account data in compliance with the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 when payment account data are maintained separately from Protected Health Information. The failure to comply with PCI DSS can result in the loss of merchant accounts, fines, and civil actions.
The PCI DSS (Payment Card Industry Data Security Standard) is an information security standard designed to reduce payment card fraud by increasing security controls around cardholder data and sensitive authentication data. All organizations that process, store, and transmit payment account date are required to comply with PCI DSS unless a federal, state, or industry standard provides greater protection to payment account data than PCI DSS.
In the healthcare industry, the HIPAA Administrative Simplification Regulations (“HIPAA”) protect the privacy and security of individually identifiable health information. Any non-health information stored in a designated record set with individually identifiable health information assumes the same protections as the health information stored in the designated record set. HIPAA provides the same or greater protection to Protected Health Information than PCI DSS provides to payment account data.
If a healthcare provider that qualifies as a HIPAA covered entity only maintains an individual’s payment account data in the same designated record set(s) as their health information, HIPAA applies. However, if elements of payment account data are maintained outside a designated record set, they do not qualify as Protected Health Information and HIPAA does not apply. In this case the standards for PCI compliance in healthcare apply to the payment account data.
The Preemption of PCI DSS by Other Laws
Before discussing the standards for PCI in healthcare it is important to repeat that a standard only applies if it is not pre-empted by any other federal, state, or industry standard providing greater protection to payment account data than PCI DSS. Some state data privacy laws exclude HIPAA covered entities in respect of Protected Health Information, but not in respect of data that does not qualify as Protected Health Information – i.e., the Colorado Privacy Act.
Healthcare organizations that maintain payment account data – or other individually identifiable non-health information – outside of designated record sets are advised to develop a healthcare compliance program that determines which federal, state, or industry standards apply to which areas of their activities and which types of data. For the record, there are two types of payment account data covered by PCI DSS – cardholder data and sensitive authentication data:
| Payment Account Data | |
| Cardholder Data | Sensitive Authentication Data |
| Primary Account Number | Full Track Data (magnetic-stripe data or equivalent stored in a chip) |
| Cardholder Name | |
| Expiration Date | Card Verification Code |
| Service Code | PINs/PIN Blocks |
The Standards for PCI Compliance in Healthcare
The current standards for PCI compliance in healthcare (v4.0.1) were published in June 2024. They updated v4.0 published in March 2022, which will be retired in December 2024. The previous version of PCI DSS (v3.2.1) was retired in March 2024. Organizations using retired versions of PCI DSS are not compliant due to the number of new requirements per standard added to later versions. The current 12 standards for PCI compliance in healthcare are:
Build and Maintain a Secure Network and Systems
- Install and Maintain Network Security Controls
- Apply Secure Configurations to all System Components
Protect Account Data
- Protect Stored Account Data
- Protect Cardholder Data in Transit with Encryption
Maintain a Vulnerability Management Program
- Protect all Systems and Networks from Malware
- Develop and Maintain Secure Systems and Software
Implement Strong Access Control Measures
- Restrict Access to System Components and Cardholder Data
- Identify Users and Authenticate Access to System Components
- Restrict Physical Access to Cardholder Data
Regularly Monitor and Test Networks
- Log and Monitor all Access to System Components and Cardholder Data
- Test Security of Systems and Networks Regularly
Maintain an Information Security Policy
- Support Information Security with Organizational Policies and Programs
While many of the standards for PCI compliance in healthcare appear similar in nature to standards in the HIPAA Privacy, Security, and Breach Notification Rules, there are requirements within the standards that may be applicable to certain healthcare organizations that process, store, or transmit payment account data via self-developed or bespoke payment solutions. Most off-the-shelf payment solutions support PCI compliance in healthcare by default.
The Requirements for Complying with the PCI DSS Standards
Over the twelve standards for PCI compliance in healthcare, there are more than 300 implementation, testing, and documentation requirements. The full list of requirements can be found in the Document Library on the PCI Security Standards website (registration required). The V4.0.1 document also includes advice on best practices for implementing applicable requirements and recommendations for testing their effectiveness for compliance.
As mentioned previously, organizations that fail to comply with the standards for PCI compliance in healthcare can lose their merchant accounts, be fined (by banks, card issuers, and/or State Attorneys General), and subject to civil actions if a breach of account payment data causes harm to individuals. Healthcare organizations that require help navigating and implementing the standards should seek advice from an independent compliance professional.
