We talk a lot about security here at Owl Practice because it’s one of the most important aspects of your practice. Yes, we offer extensive features that make the lives of both providers and clients easier, like online scheduling and intake forms, but it’s the security part of the equation where you should really feel—well, secure!
Your clients’ confidential personal information is incredibly valuable. They share with you information about themselves that is extraordinarily personal. All of your client notes need to be kept in a secure database where they’ll be protected from hacking, theft, and loss.
All Owl Practice patient data is stored on Canadian servers using bank-level encryption (SSL). This means that they’re protected by Canadian privacy laws and are out of the hands of any non-Canadian agencies. We’re College and PHIPA compliant and regularly backup all data so, in the improbable event there’s a catastrophic failure, your data will be secure.
But there’s another significant aspect of cybersecurity that you need to pay attention to: your clients’ financial information. The days when you could write down a client’s credit card number and give them a written receipt are long, long gone. Now, security is the name of the game, and all financial transactions need to be PCI compliant.
What is PCI Compliance
The Payment Card Industry Security Standards Council (PCI SSC) is entrusted with the responsibility of protecting cardholder data and minimizing the threat of credit card fraud. To facilitate this, they created a set of regulations known as PCI Compliance that all organizations who handle card payments must adhere to.
If you accept card payments, and store, process, or transmit cardholder data in any way, you need to do so in a manner that is PCI Compliant by using a PCI Hosting Provider. This is typically the entity that handles all of your card processing. The PCI Hosting Provider that you use is responsible for the safe storage, processing, and transmission of card details and other information; they bear the burden of maintaining PCI Compliance. PCI Hosting Providers are subject to annual audits from the PCI Security Standards Council to confirm that all security standards are consistently upheld.
Now, if that sounds like an awful lot of responsibility, don’t worry. Thankfully, Owl has made this even easier for you by partnering with Stripe Payments to provide you with a secure integrated option for processing credit card payments. Stripe is now fully integrated with Owl for card storage and payment processing! Stripe is the secure PCI Hosting Provider that you can use to facilitate card payments from your clients securely, and they are a trusted Level-1 PCI Compliant provider (that’s the highest level of security and compliance!)
Owl launches Stripe integration on October 10, 2018. Using this tool, when it’s time for your clients to pay, you can input their card data securely into their account in Owl where it will be saved securely and vaulted within Stripe. When the card data is input into Owl, an API call is sent to Stripe to validate the card data and store it securely on the account using tokenization. The card data becomes securely referenceable so it can be used in future transactions. So you don’t have to worry about retaking a client’s card details after every visit, or exposing the card details to anyone. All you need to do is make sure that the card data is always keyed directly into the designated area in Owl Practice that has been built to connect with Stripe for card validation and storage. Once you do that, your clients’ card information will be safely and securely stored for future use.
Frontline Compliance: Dos and Don’ts
Stripe and Owl Practice work flawlessly together to ensure card security, but that doesn’t mean all of the responsibility is out of your hands. As a frontline business that’s regularly processing card transactions, there are some dos and don’ts regarding card security that you need to keep in mind:
Do input all data and transactions directly into the secure PCI Hosting Provider’s (Owl/Stripe)’s system. If possible, use encrypted card swipers to collect and transmit all data into the system, if compatible with the provider. Or, be sure to process all of the transactions through a secure standalone merchant terminal, if preferred.
Don’t ever record or write down cardholder information on paper, even if you’re writing it down on a post-it note temporarily. That information needs to be keyed into the secure system directly, every time. Keep in mind that Credit Card Authorization forms are not PCI compliant. In fact, storing any paper forms with card numbers, CVVs, and expiry dates is not compliant and poses a significant risk for identity theft. Credit Card Authorization forms are quickly becoming a thing of the past because they are more easily susceptible to fraud.
Do use a secure, encrypted phone line if you’re exchanging cardholder information over the phone. If you happen to you use a call centre, check to see if they have the ability to allow customers to input their card data through a secure touchstone option, ensuring that no one else hears or sees the card details.
Don’t ever record cardholder information in computer files or spreadsheets. Computers can be hacked, and that information could be stolen and used for identity theft. (Owl’s integration with Stripe solves this problem.)
Do make sure that all card numbers are rendered unreadable (tokenized) anywhere they’re kept and stored. You should only ever see the last four digits and expiry of all cards on file. (Again, not something you have to worry about when you use Owl’s integration with Stripe.)
If you keep these dos and don’ts in mind, then Owl and Stripe will be taking care of most of the work, leaving you with a few simple frontline best practices that you can follow to provide your clients with the best possible security! If you’re not yet using Owl Practice and you’d like to free yourself from the burden of securing your patients’ financial information, we invite you to sign up for a free demo! If you have any questions or comments about our services, we invite you to contact us at firstname.lastname@example.org.