PCI PA-DSS in Healthcare – Part 2

What Can I Do?

What can you do to take action and address the issue?  There are a number of strategies for addressing PA-DSS as a healthcare organization in the short run:

• Compile a list of potential applications and check the PA-DSS validated list at the PCI SSC’s website – https://www.pcisecuritystandards.org/security_standards/vpa/
  • NOTE – you need to make sure that you are checking application revision as well – it matters in this process (i.e., if the app is listed, is your release listed?)
• Contact any of your software vendors that might fit the criteria noted above and ask them to document a response to a few questions:
  • If the application (or the revision) is not on the list, ask why and what are the vendors’ plans?
  • If the vendor does not feel that PA-DSS applies to their application, ask them to document why and have their response looked at by someone qualified to provide an opinion (a list of organizations that can validate applications can be found here – https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml)
  • If the vendor has indicated that their application is PA-DSS-compliant, but it’s not on the list, ask why – the PCI SSC has indicated that the validated payment application list (#1) is the only list that’s going to matter.
  • Again, if the application is not on the validated list, and the vendor indicates that they are in process with a PA-QSA, ask which one and the timeline. Ask to talk with the PA-QSA. Most would be very happy to speak with you as long as the application vendor is willing and allows them to do so.
• Educate yourself and your team on the PA-DSS and how others in healthcare are addressing PA-DSS with their vendors. There are a number of good blogs and documents from the PCI Council. I know that a number of leading healthcare application vendors are providing educational opportunities addressing PA-DSS. Finally, most PA-QSA firms would be happy to talk with you and answer questions (although I’d pick one that has healthcare experience; otherwise, they may be heavily focused on retail). I’ll include links and resources below.
• For upcoming applications that you are considering for purchase and that fit the criteria for PA-DSS:
  • Explain to potential vendors that you are screening for PA-DSS. If they aren’t on the PA-DSS validated list either now or by a mutually agreed-upon date, take them out of the purchase process.
  • Stipulate in your contracts that applicable vendors will not only achieve compliance, but will also maintain PA-DSS compliance as required by the PCI SSC. Validation is not a one-time event for application providers; it is an on-going process that needs to be continuously addressed.

Summary

The healthcare industry is one of the most highly regulated industries on earth. Given the myriad requirements that your organization faces on a daily basis, I do not wish to raise one more to your attention; however, the far-reaching nature of the Payment Card Industry Data Security Standard and its sister standard, the Payment Application Data Security Standard, requires that the healthcare community not ignore some critical industry mandates. HITECH and HIPAA have driven security and privacy and, given the nature of the information that they are protecting, that approach is understandable. The need to protect credit card data is often not seen as a priority in healthcare the way it is in other industries (like retail), but the PCI DSS can create significant issues for any organization that takes credit cards as payment. Gaining a better understanding of PA-DSS, its applicability to your software solutions, and its potential impact on your organization is important. This is a standard that is largely dependent on vendor compliance and therefore can pose some unique challenges that other standards and regulations do not share. Please take the time now to analyze the potential impact of the PA-DSS on your organization and take the steps that you can to minimize that impact.

References

PCI Council Sites / Documents of Interest:

• PA-DSS Documentation Site for current PA-DSS version (1.2.1) https://www.pcisecuritystandards.org/security_standards/pci_pa_dss.shtml
• List of Currently Validated PA-DSS Applications https://www.pcisecuritystandards.org/security_standards/vpa/
• PCI DSS, PA-DSS, PED (now PTS – PIN Terminal Security) Standards Overview https://www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf

Additional Sites / Documents of Interest:

• NetSPI’s Blog (PA-DSS posts) https://netspi.com/blog/tag/pa-dss/
• “How VISA Operates.” Forbes, February 25, 2008 https://www.forbes.com/feeds/afx/2008/02/25/afx4694434.html

Alex Crittenden