SecureState Blog

Read SecureState's award winning blog.

Don’t be a Data Hoarder

Credit Card data is a crown jewel for cybercriminals.  While organizations may have a legitimate business need to store cardholder data (CHD) as a part of their business process, storing that data on your systems makes your organization a target.  The PCI-DSS allows for the storing of CHD, provided that a business justification is well documented and adequate security controls are in place.  If you are a company or line of business manager who feels you need to store CHD, consider the list of bad reasons detailed below and possibly revisit your business model to limit storing CHD, or better yet, stop collecting it!

1.)  Need a record of the transaction – With the variety of masking, hashing, truncation, and encryption technologies available today, recording a full credit card number on paper or storing electronically is never advisable.

2.)  Refunds – Another common misconception for healthcare organizations is that they believe they need the full credit card number to process refunds. In reality, most merchant banks can perform a credit transaction without the full credit card number.

3.)  Recurring transactions – If you are storing patient credit cards, whether on paper or electronically, due to recurring or scheduled charges (without data encryption) this is a data breach waiting to happen.

4.)  Legacy Systems – Many healthcare IT departments are resource (e.g., Legacy Systems can be old as dirtstaff and system) starved. Legacy systems which function, but really should be retired for newer technology, are in-service and are storing and/or transmitting (unencrypted) full sixteen-digit credit card numbers.

5.)  It’s the way we have always done it – Many healthcare organizations have a long history and uniquely deep roots within their communities. The revenue cycle (patient billing) process at many healthcare organizations is their lifeblood (pun intended) and the overarching sentiment seems to be that if it isn’t broken why fix it. Writing down patient credit card numbers on post-it notes without proper document destruction is never acceptable!

You would never post a patient’s condition or diagnosis on an easily-accessible notepad or online bulletin so why then treat a patient’s financial information, like CHD, any differently?


Bottom line: Understanding the PCI DSS framework and its nuances can be overwhelming, especially for healthcare employees and medical professional whose primary responsibility is, and should be, patient care. Are you receiving pressure from your bank to submit a PCI Self-Assessment Questionnaire, attesting PCI compliance? Perhaps you have specific PCI questions before you decide to have an onsite PCI audit completed? Whatever the reason, partnering with a Qualified Security Assessor (QSA) company such as SecureState to provide objective guidance and help you navigate your path to PCI compliance is an excellent choice. Protecting all patient data – PHI and CHD – is an integral component of the patient experience and, therefore, should not be overlooked.