PCI (payment card industry), Red Flag Rules (governed by the Federal Trade Commission) and
HIPAA (The Health Insurance Portability and Accountability Act) is that if executed properly, your business or medical practice will GREATLY reduce its risk of becoming a victim of fraud.Most people are pretty familiar with HIPAA privacy laws thanks to those lengthy forms we are required to fill out at the doctors office. But generally speaking, when the conversation turns to PCI compliance or Red Flag Rules people tend to assume that glazed over look – and I don’t blame them.Unfortunately – these compliance programs are essential, not only to prevent fraud, but to do business in general. So, I have done my best here to explain the difference between PCI and Red Flag Rules and provide some helpful resources for businesses taking on the daunting task of compliance.
The Difference Between PCI Compliance and Red Flag Rules:
What is PCI?
PCI is a set of standards required of ANY business in order to
accept credit cards. These standards are overseen by the
PCI Security Standards Council but are set by the individual payment brands (MasterCard, Visa, Discover, and American Express) who also dictate the non-compliance penalties (pesky fees you have to keep paying until you get compliant). If you are a business of any size accepting credit cards, you must be in
PCI Security Council standards.
What do you need to be PCI compliant?
There are a series of technical and operational assessments your business will have to conduct in order to become PCI Compliant. Many of these procedures depend on the size of a business and how it transmits and stores credit card data.
What are Red Flag Rules?
These rules, developed and governed by the FTC require certain businesses and organizations to develop and implement a written
Identity Theft Prevention Program (a book) designed to detect the “red flags” associated with identity theft. These rules are meant to help businesses notice suspicious activity and prevent it from escalating further.
The only types of businesses required to have a Red Flag Rulebooks are:
- Financial institutions and creditors that hold consumer accounts designed to permit multiple payments or transactions — or any other account for which there is a reasonably foreseeable risk of identity theft. This includes all banks, savings associations, and credit unions, regardless of whether they hold a transaction account belonging to a consumer; and anyone else who directly or indirectly holds a transaction account belonging to a consumer.
How do I get my Red Flag Rules in order?
The FTC has very specific guidelines for compiling Red Flag Rule books. These books must include “…reasonable policies and procedures for detecting, preventing, and mitigating identity theft.”
These Books should enable the organization to:
- Identify relevant patterns, practices, and specific forms of activity — the “red flags” — that signal possible identity theft;
- Incorporate business practices to detect red flags;
- Detail your appropriate response to any red flags you detect to prevent and mitigate identity theft; and
- Be updated periodically to reflect changes in risks from identity theft.