NHS trusts are responsible for collecting and processing sensitive financial information whenever patients pay for prescriptions, private treatments, non-resident fees, parking or any other services. PCI DSS regulations are designed to make sure these transactions are secure and that payment card data is protected from data breaches and cyberattacks. Threats have been evolving quickly in recent years, with several high-profile incidents, such as the WannaCry ransomware attack, reported by trusts across the UK.
Compliance with PCI DSS is the first signal that an NHS trust takes data security seriously and has safeguards in place to protect client card data, whereas failing to do so can lead to costly consequences, fines and major reputational damage.
Here we share expert tips for both finance teams and IT leaders in trusts looking to cover all bases and stay compliant with current guidelines.
Understanding PCI DSS v4.0
The latest update to PCI guidelines (v4.0) came into effect on April 1st, 2024, introducing more rigorous security measures to ramp up protection of cardholder data. The main changes include:
- Focus on risk assessments and security controls – NHS trusts must now commit to assessing their payment systems, processes and digital infrastructure to
- determine the most effective security measures to protect cardholder data while delivering patient services.
- Stronger authentication protocols – Multi-factor authentication (MFA) has been expanded to include remote access, in addition to accessing the cardholder data environment.
- Password management – Trusts are now required to conform to a mandatory password length and complexity, tighter restrictions on login attempts and regular password changes.
- Enhanced security training – PCI DSS v4.0 requires organisations to conduct a security awareness training review each year. There is also additional focus on managing threats such as phishing and social engineering attacks.
- Compliance questionnaire update – The previous compliance questionnaire has received a comprehensive update and now features nine levels of compliance to ensure organisations are evaluating their security measures in greater detail.
York NHS Trust – PCI compliance in action
York NHS Trust became aware that their method of transacting with credit cards was not PCI compliant, which prompted them to redesign their internal controls and seek a new card payment processing solution.
In addition to weak security measures, the trust’s existing manual processing of card transactions was also prone to errors and time-consuming. The accounts receivable team needed to manually enter files daily, leading to potential coding and transcription errors. The need to address these challenges led the trust to partner with Access Paysuite to implement a more automated process to reduce errors and improve efficiency.
The project also had a key focus on automating the end-of-day file processing, which entailed streamlining the process and specifying the interface file. Though it required the accounts receivable team to adapt to the new way of working, the implementation of Call Secure and automation yielded remarkable time savings.
It’s estimated that the transition from manual to automated processing would save between half an hour to an hour per day, ultimately totalling five hours per week. Read the full case study here, or click the video below to hear more from York NHS Trust.
Don’t miss the deadline!
While PCI DSS 4.0 guidelines are already in effect, full enforcement won’t be mandatory until March 31st, 2025. NHS trusts have until then to make the shift from PCI DSS 3.2.1, which means there’s not much time left to audit processes and implement the necessary changes.
Many trusts still operate legacy IT systems that may not meet the stringent security requirements of PCI DSS 4.0. These outdated systems are more vulnerable to cyberattacks, data breaches and other vulnerabilities that could expose patients’ financial data. Upgrading or securing legacy systems with encryption, monitoring tools and regular vulnerability assessments is crucial.
Is your trust on the pulse of PCI compliance?
Our expert team at Access PaySuite works closely with NHS trusts across London and the UK, including Kings College Hospital, University College London Hospitals, Manchester University and Northumbria Healthcare.
We understand the challenges of PCI DSS compliance inside and out, and we’d be happy to support your organisation as you assess payment systems and aim to implement tighter security controls around card transactions.
Get in touch below to discuss your challenges and discover how PaySuite can deliver a seamless, secure payment experience for your patients and staff.