Keeping patient credit cards on file

[Hersheydmd]

Is anyone storing patient credit card numbers on file for use after insurance payment or for recurring payments?
How are you storing them? Are they encrypted? I was going to have patients fill in their numbers on a form at my kiosk or online, but I came across information that this may not be safe or advisable.

["Storing cardholder data (credit card numbers) in a log book, file cabinet, tickler-reminder system, or spreadsheet with the purpose of entering them into a credit card machine every month is a clear violation of Payment Card Industry Data Security Standards (PCI DSS).

If you can retrieve the full account number from the system you use, then your filing system is not PCI DSS-compliant and your company is subject to security breaches

PCI DSS is to the credit card industry as HIPAA is to the healthcare industry — established to protect consumers.

...since June 2005, merchants have been required to follow PCI DSS or face hefty fines in the event of a security breach. If there is fraudulent use of card data, you can be financially responsible — and the fines can be as high at $25,000 per incident."]

[irfan]

id imagine youd need an encrypted system for that, something that doesnt reveal the card number to a user but can still process it

[Hersheydmd]

I was just reading about security on QuickBooks Help. I decided I am only going to enter patient credit card numbers into QuickBooks, and not have patients enter them on forms that are stored in OD.

[Joe Gordon]

The last 2 versions of OD have significant XCharge feature enhancements. Now you can swipe a card and the system will store the card as XXX....XXX(Last 4 digits), actually stored as a "token," encrypted and still able to be processed. I've been on OD support for a while today with the programmer to fix an issue I've been having. Hopefully he got it fixed (we'll know tomorrow), so we can use this "token" feature. He is also working on functionality for scheduling charges for an account to auto run the card. This will be useful for those pts for whom we submit, accept assignment, then charge remaining balance. A system that we must tighten up soon because our admins are still chasing people down who receive the ins check and never pay.

[Hersheydmd]

The problem is storing the number in a secure encrypted password protected manner so that it can't be stolen. Quickbooks will do that for me.

[irfan]

sounds like thats what the xcharge system is being set up to do.

we can also do this with PayConnect (merchant services portion of Claims Connect, dentalxchange.com)... we can log in, see previous batches... only the last 4 numbers are show on a CC#, and we can send a recurring payment that way, or a one time, or refund all thru the web portal. We never need to know the whole number. I havent toyed too much with the opendental intergation other than direct swiping, but i dont think I can do recurring/refunds thru open dental directly, id have to go thru the webportal. no big deal tho.

[Joe Gordon]

So the glitch with XCharge was not solved yesterday. Their tech support was on our server and on the phone with our admin for several hours today via remote access, and finally solved the issue- which other offices are very likely to encounter. They installed a closed version of XCharge rather than the open one which jives with OD. Finally got several other techs involved who figured it out (should mention their techs were very pleasant). No fault of OD- in fact, Jason from OD was outstanding as he was staying on top of the situation today to ensure that it was fixed.
Now wondering about PayConnect. Anyone out there using it- I would love to hear your reviews and a breakdown about the functionality. I look forward to the new features of OD with XCharge, including the one I mentioned earlier. But with the hassle the last two days, now wondering if PayConnect is a better option.

[enamelrod]

is anyone using payconnect. they made a good sales pitch to save me fees from xcharge. ONe of the reasons Im looking to change is the new feature in OD which allows for you to set up auto credit card billing charges you a higher fee then swiping the card if your using xcharge. payconnect claims their integration does not charge you a keyed rate for cc stored in open dental.

For you not aware a keyed rate can be s high as twice as much and add that to a transaction fee for every time the card is run. you need to know what your being charged.

[sbgcd]

Encryption is not mandatory for dental offices yet. Lots of POS systems dont have it either. ADA is fighting hard to delay this implementation for dental offices...
It can be quite a complicated to implement this or can be as simple as have all the data encrypted at database level. Jordan we would like to your stand on this development. Thank you.

[jordansparks]

I was under the impression that it was mandatory but that there is no enforcement and the penalties would be low anyway due to the low volume. But in any case, we have implemented features that let you store tokens or hand off the CC to a processor to store on their secure systems. I don't see any reason for dental offices using Open Dental to be storing patient credit card numbers on site.

[Hersheydmd]

PCI DSS is to the credit card industry as HIPAA is to the healthcare industry — established to protect consumers.

...since June 2005, merchants have been required to follow PCI DSS or face hefty fines in the event of a security breach. If there is fraudulent use of card data, you can be financially responsible — and the fines can be as high at $25,000 per incident."]

Dentist or not, if you accept credit card payments then you are a "merchant".