Editor’s Note: This blog entry was originally published on June 14, 2016, and was updated on April 2, 2020.
If any of your merchants are pharmacies, you know that acceptance of credit and debit cards is absolutely necessary for the modern pharmacy. However, credit cards can represent a major liability for the holder of the merchant account if not properly handled. Strong security measures are available, but pharmacies must implement them properly in order to effectively process payments securely.
Scope of the Pharmacy Security Problem
Small businesses are the preferred target for sophisticated criminal hacks. Often, hacks take the form of planting malicious code on systems and then collecting large packets of sensitive data. Larger operations, after the high-profile data breaches in the last few years, have buttressed their security. Naturally, cybercriminals have gravitated to smaller merchants, where security is often weaker.
That can mean bad news for independent pharmacies. On average, a data breach costs $80,000 per pharmacy location. Further, a survey by Fortinet revealed that nearly two-thirds of consumers held merchants responsible for data breaches and that 60% of small operations suffering a data breach are out of business within six months. This means you need to do what you can to lessen the risk for your pharmacy clients and provide them with secure payment processing solutions ensuring they are meeting all security requirements as set by the Payment Card Industry Security Standards Council (PCI SSC).
Key Payment Security Concepts for Pharmacies
To protect your clients and their customers, it is important to make sure your pharmacy clients understand and properly implement several key security concepts.
The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard for those handling credit cards from the major card brands. The standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council (PCI SSC).
This standard increases controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually by Self-Assessment Questionnaire (SAQ) for companies handling smaller credit card processing volumes. There are twelve PCI requirements that must be met in order to maintain PCI compliance.
EMV - a microprocessor or ‘smart chip’ - is a fraud-reducing technology that protects against losses from the use of counterfeit cards. EMV cards generate a new code for every transaction, making the card virtually impossible to counterfeit and re-use.
With the new technology, the payments industry has instituted a liability shift in recent years where the party in the payments chain not enabling EMV will be considered responsible if fraud occurs. This means if ISVs don’t implement available EMV acceptance features in the solutions they offer to their pharmacy clients, then the ISV could be held liable for losses incurred if a data breach occurs.
PCI-DSS and EMV have decreased the incidence of payment card fraud but, as alluded to earlier, the smallest businesses are often those with the least sophisticated security measures. These small businesses - those accepting up to one million card-present transactions annually - are referred to as “Level 4” merchants.
Because criminals continue to target the easiest prey, the PCI SSC now requires all Level 4 merchants to have their payment applications and terminals installed by a Qualified Integrator and Reseller (QIR). QIRs must be certified by the PCI Security Standards Council.
By using a QIR, your merchants can be assured that their payment applications and terminals are installed and integrated in a matter that mitigates payment data breaches and complies with PCI-DSS requirements.
With the average pharmacy filling hundreds of prescriptions a day, that adds up to a lot of transactions. For those transactions where credit cards are used, ISVs need to ensure they’ve implemented strong security measures in the solutions they provide to their pharmacy clients. To learn about the security solutions offered by Global Payments Integrated, contact us today.