Jane wants to protect ALL of your clinic data. This of course includes your patient health records, but it also includes credit card information. Every now and then a situation comes up where clinics or patients of clinics are concerned about how Jane stores credit card information, so we thought it would be helpful to talk a little about how Jane handles this data.
What is the Payment Card Industry Data Security Standard?
The Payment Card Industry Data Security Standard (PCI DSS) is a protection measure that applies to any company that accepts credit card payments. PCI compliance is managed by the PCI Security Standards Council.
Is Jane compliant with PCI standards?
Jane Payments, which is Jane’s payment solution, is PCI-compliant! Any client cards you store on file or payments you take through Jane Payments are done in a PCI-compliant manner. Being that Jane only stores a token of the credit card (more on that to come!) and that the processing of the credit card actually takes place outside of Jane directly within our payment processors, this all means that Jane is PCI-compliant in the way that we are setup as an application and a company.
Now, if you like to know the technical side like us, then read on! So, all of this means that although Jane is PCI-DSS SAQ A compliant, we work with our payment processors who are PCI-DSS certified/PCI-compliant, and altogether, this results in a PCI-compliant workflow when accepting and processing credit cards with Jane Payments.
If Jane Payments is PCI-compliant, my clinic is too, right?
It’s important to note that software can’t do everything - human behaviour is just as important to data protection and security as compliant software. Whether we’re talking about health records or credit card data, it’s crucial to create and implement policies in your clinic that require managers, practitioners, and all staff to uphold the highest data protection standards.
To remain PCI compliant is everyone’s responsibility at the clinic. Any credit card info that is manually entered in plain text in Jane does not comply with PCI standards. Jane will try to help you maintain PCI compliance by starring out (ex. 4111 ** ** ***) anything that is recognized as a credit card in Chart Entries, Intake Forms, or note fields. We strongly discourage recording credit card information in Jane outside of the Jane Payments interface to keep both your clinic and Jane within the PCI standards.
Clinics often have highly-specific questions about their particular data and the way it is organized. Our team is always here to help so let us know what we can do.
How does Jane store credit card data?
In fact, no credit card data is stored in Jane. See below for how that’s possible!
But I enter credit card information into Jane. Isn’t the data stored in Jane?
Not quite. When you enter credit card information into Jane, Jane creates and keeps a token that can be used to reference that information. But the actual sensitive information is sent to and stored within our payment processing partners.
What’s a “token?”
A token is a snippet of code that replaces sensitive information with a non-sensitive place-holder: a “token.” Jane stores non-sensitive tokens that refer to the data held in the credit card processor’s system (the actual sensitive data). And Jane only works with PCI-compliant credit card processing companies.
How do PCI regulations keep my data safe?
Security measures under PCI fall into two categories: technical and operational. Each measure was created to meet a specific goal. Any company that accepts credit card payments must adhere to PCI requirements.
Still Have Questions?
Have any questions about this guide or anything else related to security or compliance? Feel free to email Privacy and Security Support at [email protected] and we’d love to clarify anything you’re unsure on!