Do you think your veterinary practice would survive if your privilege to accept credit and debit cards were suspended? Think about it—90 percent of your revenue comes through credit and debit card transactions. Losing this privilege would stop your practice in its tracks. Let’s say that you gross $100,000 a month. If that were cut by 90 percent, you only would have $10,000 a month to cover overhead—mortgage/rent, utilities, equipment rental, business loans and staff salaries. This is what can happen if your practice is not adhering to Payment Card Industry Data Security Standards (PCI DSS). Not being able to accept AMEX, Discover, MasterCard and Visa credit and debit cards would force you only accept cash and checks. How would your clients react to this change? Would you tell them that you breached your merchant agreement (contract) with major credit card brands? Would you tell clients that by not complying with PCI Data Security Standards you were failing to protect their credit and debit card information, leaving them vulnerable to identity theft? Why must you follow PCI Data Security Standards? Simple—when a business of any size or type accepts credit and debit cards, it is agreeing to follow these standards, which is stated clearly by major credit card brands and by the PCI Security Standards Council. Your merchant agreement binds both the credit card brands and your veterinary practice to certain terms. What the brands are obligated contractually to do for your practice: Under the merchant agreement, the brands extend the privilege of accepting credit and debit cards to your practice for the payment of goods and services. Once credit and debit card transactions have been authorized for client charges, the brands will deposit payment into your practices’ bank account. What your practice is obligated contractually to do for the brands: A processing fee will be paid to AMEX, Discover, JCB, MasterCard or Visa, and Your veterinary practice will comply with the 12 PCI Data Security Standards with more than 200 subrequirements. If you only accept cash, then your veterinary practice would be exempt from fulfilling the PCI Standards. However, how practical is that in today’s marketplace? Don’t Be Fooled by Myths “We don’t need to worry about PCI compliance because”: We only process a few credit and debit card transactions a year We’re too small—we’re not like Target or Home Depot Fact: PCI applies to your practice if you “accept, store, transmit, or process credit and debit card information.” “My veterinary practice is PCI compliant because”: My credit card processing company is PCI compliant, therefore my veterinary practice is PCI compliant. Fact: There is no legal transference of responsibility; just because the credit card processing company is PCI compliant, it doesn’t mean your veterinary practice is compliant. In other words, if your practice accepts credit and debit cards, then your practice must fulfill your PCI contractual obligations. You cannot delegate your PCI DSS obligations to another business. Failure to Comply with PCI DSS Veterinary practices that fail to comply with the 12 PCI DSS requirements and its subrequirements are unethical because they failed to live up to the terms of their merchant agreement. Breach of this agreement can result in: Fines and penalties Higher costs of compliance Legal costs, settlements and judgments Termination of ability to accept credit and debit cards Major damage to a practice’s reputation that can destroy their business The purpose of this article is to sound the alarm to awaken veterinary practice owners to a hidden liability threatening the very livelihood of a practice—their ability to collect revenue. James Iafe, DVM, has been practicing veterinary medicine in Pennsylvania for more than 20 years. Dr. Iafe is a Certified Identity Theft Risk Management Specialist (CITRMS) and a Payment Card Industry Professional (PCIP). Over the past decade, he has lectured and has published articles on data and credit card security to help veterinary practices reduce the risks of sustaining an information breach.
