Health Law Highlights

New PCI DSS 4.0 Will Impact the Digital Health, Healthcare Industries

From McDermott Will & Emery, by Mark E. Schreiber, Brian Long, Jonathan Ende:

The healthcare industry, particularly digital health, is increasingly adopting an e-commerce model, accepting direct payments from consumers. This necessitates compliance with the Payment Card Industry Data Security Standard (PCI DSS), even if payment card processing is outsourced. 

The new version of PCI DSS (4.0) will be mandatory from March 31, 2024, introducing more rigorous requirements. Entities that offer these services and accept payment cards must complete either a report on compliance (ROC) or a self-assessment questionnaire (SAQ) annually.

PCI DSS 4.0 brings new requirements, focusing on targeted risk analysis, organizational maturity, and governance. It makes PCI DSS compliance a continuous effort, rather than an annual task, and allows businesses to implement alternative controls that meet the customized approach objective.

Some significant changes in PCI DSS 4.0 include increased requirements for yearly diligence for merchants and service providers, introduction of a customized approach for controls, expanded risk analysis guidance, and clarifications to the “significant change” standard.

Failure to comply with PCI DSS 4.0 may lead to investigations, fines, penalties, and assessments by card brands and acquirers. It may also lead to legal risks, as the new version requires more security documentation and risk analysis, exposing the company’s security posture to greater scrutiny. Therefore, businesses should promptly begin addressing and validating compliance.