Overview
The healthcare industry – particularly the digital health industry – is increasingly becoming monetized and using an e-commerce model through direct interactions with the customer to accept credit card payments. This innovation allows consumers and patients to make payments for products and services directly. The healthcare industry, like others, must comply with the Payment Card Industry Data Security Standard (PCI DSS) with respect to credit or debit card transactions.
It is a common misconception that if an entity has outsourced its payment card processing, the entity then does not have PCI DSS obligations. All entities that accept or process credit or debit cards must complete an annual PCI DSS assessment, even if they have entirely outsourced card processing to a third party.
The new version of PCI DSS (4.0) becomes mandatory March 31, 2024, and introduces many new rigorous requirements. Entities that provide these monetized digital health services and accept payment cards are likely “merchants” or “service providers” under the PCI DSS definitions. Both merchants and service providers must complete either a report on compliance (ROC) or a self-assessment questionnaire (SAQ) at least annually to comply with PCI DSS. ROCs or SAQs that are started after March 31, 2024, (the retirement date of prior PCI version 3.2.1) will need to use the new 4.0 version with its more rigorous requirements.
Some merchants and service providers may be in the midst of their PCI DSS compliance validation efforts under prior PCI version 3.2.1 as of March 31, 2024. In that case, merchants or service providers should reach out to the organizations that require their PCI compliance (e.g., acquiring banks, card brands, processors) to determine next steps, including whether they can continue with their 3.2.1 validation exercise. Some card brands (such as Mastercard) have indicated that they will continue to accept SAQs created under PCI DSS 3.2.1 until June 30, 2024, if the SAQ was completed prior to March 31, 2024.
As with any other channel used to process payment cards, security and authentication are paramount concerns. Even if the entire cardholder data environment is outsourced, there are still obligations to comply with PCI DSS.
In Depth
While participants in this industry may have some familiarity with PCI DSS obligations, the confluence of new technologies and connected-to systems with the advent of PCI DSS 4.0 drives a new PCI DSS compliance imperative.
PCI DSS 4.0 Brings New Requirements
After two years to prepare, the March 31, 2024, date for compliance with PCI DSS 4.0 is almost here. PCI DSS 4.0 – which brings major changes to the payments ecosystem – places an increased focus on targeted risk analysis, organizational maturity and governance. It also makes PCI DSS compliance a continuous effort, rather than an annual snapshot exercise, and introduces a customized approach to PCI assessments, enabling businesses to implement alternative technical and administrative controls that meet the customized approach objective.
Merchants, service providers, issuers, acquirers and any other businesses that accept card payments or store, process or transmit payment cardholder data should have already begun planning for PCI DSS 4.0. Implementing PCI DSS 4.0 will require structural changes that go beyond tweaking security controls. Businesses will also need to prepare for the increased legal risks of PCI DSS 4.0’s obligations. PCI assessments under version 4.0 will require more security documentation, risk analysis and affirmative statements than before, exposing the company’s security posture to greater scrutiny.
Because of the complexity of the new requirements and the time required to implement structural changes, companies should promptly begin addressing and validating compliance. Businesses should consider whether to involve legal counsel and other consultants (under privilege) in this assessment and other aspects of their transition to PCI DSS 4.0, including for purposes of encouraging full and open communication and consideration of risks and exposure.
WHAT’S NEW IN PCI DSS 4.0?
PCI DSS 4.0 is an extensive change to the previous version, PCI DSS 3.2.1. Some of the significant changes are included below.
Increased Requirements for Yearly Diligence for Merchants and Service Providers
PCI DSS 4.0 increases the requirements for periodic diligence by merchants and service providers by adding several new controls, including the following:
- Service providers now have an explicit requirement to provide merchants with information necessary for the merchant to comply with its monitoring requirements under PCI DSS 12.8.4 and 12.8.5 (PCI DSS 12.9.2).
- At least every 12 months and upon a significant change, merchants and service providers must document and confirm the PCI DSS in-scope environment (PCI DSS 12.5.2), with additional documentation requirements for service providers (PCI DSS 12.5.2.1-2).
- Merchants and service providers must conduct a targeted risk analysis for any controls that use the customized approach, at least every 12 months with written approvals by senior management (PCI DSS 13.3.2).
- Merchants and service providers must complete at least an annual risk analysis for any controls that have flexibility for the frequency of controls (PCI DSS 13.3.1, best practice until 2025).
- Merchants and service providers must review at least annually cipher suites and protocols (PCI DSS 12.3.3, best practice until 2025).
- Merchants and service providers must conduct at least an annual review of hardware and software technologies in use, with a plan to remediate outdated technologies approved by senior management (PCI DSS 12.3.4, best practice until 2025).
These additional annual diligence requirements will take time and effort to establish. Merchants and service providers may want to build these new processes well in advance of having to rely on them for PCI DSS compliance through their ROC or SAQ processes and QSA oversight. Starting sooner rather than later will be key to pragmatic results, allowing at least one practice cycle of these assessments prior to relying on them for PCI DSS compliance.
New Customized Approach
When merchants and service providers cannot meet the prescriptive controls of PCI DSS 3.2.1, they must propose a compensating control and justify it with a risk assessment and a compensating control worksheet. In PCI DSS 4.0, this option still exists, but there is also a new option for a customized control approach. This customized approach retains the requirement to evaluate risk but allows for a more strategic pathway to meet a control. Instead of compensating for the lack of a control, the customized approach allows the merchant or service provider to document a different control based on the objective of the control that is being customized. The assessor will then assess the customized control in place of the control that is being substituted, allowing for a long-term customization rather than a shorter-term “compensating” control. (Not all controls are eligible for the customized approach. Notably, PCI DSS 3.3.1 prohibits storage of sensitive authentication data after authorization.)
Expanded Risk Analysis Guidance
PCI DSS 4.0 also provides expanded guidance on conducting risk analysis. Risk analysis has always been a part of PCI DSS, and it significantly is used as part of the compensating control worksheet. This new version includes a Sample Targeted Risk Analysis Template (PCI DSS Appendix E2). While using the template is not mandatory, the template provides more information on how the PCI Security Council expects a risk analysis to be carried out.
Clarifications to “Significant Change” Standard
PCI DSS 4.0 clarifies key PCI DSS concepts, including a more fulsome description of a “significant change,” which was not specifically defined in prior PCI DSS versions. While this latest version does not provide an exact definition, PCI DSS 4.0 does provide descriptions and examples of a significant change (PCI DSS, 7 Description of Timeframes Used in PCI DSS Requirements). This is important given the many interim changes, adaptations and updates (especially in the mobile payments industry) in the United States and other countries, such as India.
WHEN DOES PCI DSS 4.0 TAKE EFFECT?
PCI DSS 4.0 was issued on March 31, 2022, but will remain optional until March 31, 2024, when PCI DSS v. 3.2.1 will be retired. Assessments begun after that date must be under version 4.0. Some companies have opted into 4.0 already and are conducting PCI assessments and SAQs/ROCs under 4.0.
Several new requirements added for version 4.0 will not become mandatory until March 31, 2025. Until that date these requirements are considered “best practice.”
WHAT ARE THE LEGAL RISKS?
Failure to comply with PCI DSS 4.0 may lead to further investigations, fines, penalties and assessments by card brands and acquirers. In addition, seven state laws already either incorporate PCI DSS as an obligation, include requirements to protect card data or provide a safe harbor for compliance with PCI DSS. Violations of PCI DSS also appear from time to time in class action lawsuits, regulatory enforcement actions, or as standards of reasonable security practice.
The increased focus on risk analysis in PCI DSS 4.0 means that entities are likely to disclose more information about their security program to QSAs than they would under version 3.2.1. Given that PCI security assessments are not conducted under privilege, businesses should be prepared for the assessment papers to be scrutinized, particularly in the wake of a security incident. This will be increasingly significant, because the widespread adoption of chip transactions in the United States has reduced the viability of card cloning, reportedly causing credit card fraudsters large and small to target card-not-present transaction data and increase cybersecurity risk to a wide variety of companies.
Statements made in risk analyses should be accurate, verifiable and consistent with other disclosures. Security documentation should reflect actual, provable and current practices. Customized controls should defensibly meet the defined customized approach objectives.
The transition to PCI DSS version 4.0 will prove challenging and time-consuming to many companies. Companies should begin their transition planning promptly. An initial step in the transition should be an assessment against the PCI DSS 4.0 standard to identify compliance gaps and opportunities to implement a customized approach. Engaging outside counsel to help oversee the conduct of the internal assessment or other aspects of transition planning can mitigate risk and contribute to a successful transition.