Credit Card Security
Patient Confidentiality and HIPAA Compliance
How secure is my credit card information?
Crane takes the security of your credit card information very seriously. Of course, all credit card data is communicated over a secure, encrypted connection using SSL. But unlike many online businesses, we don't stop there. We use Extended Validation SSL, and we adhere to the highest standard of credit card security: the PCI Data Security Standard.
What is the PCI Data Security Standard?
The PCI Data Security Standard (PCI DSS) is the highest standard of credit card security. It was established by the Payment Card Industry Security Standards Council, an organization dedicated to preventing credit card theft and identity fraud that was formed by Visa, MasterCard, American Express, and other major credit card companies. The PCI Data Security Standard is a "multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures." Visit the PCI DSS website to learn more.
How can I be sure that Crane meets this high security standard?
One of the requirements of the PCI Data Security Standard is independent security assessment. In order to be PCI DSS compliant, a company must hire an independent, certified "Security Assessor" to evaluate their network and website. Crane uses SecurityMetrics, a leading security assessor, to perform this valuable security check. Every three months, they perform an extensive scan of Crane's systems, checking for hundreds of known security vulnerabilities. Because we pass every single test in their scan, we can proudly display their stamp of approval:
You should look for this logo (or other certification of PCI DSS compliance) whenever you enter your credit card online.
What is an Extended Validation SSL certificate, and what does the green bar in my browser mean?
Extended Validation (EV) SSL certificates offer an extra level of protection above normal SSL encryption. Developed to combat the problem of fraudulent websites and "phishing", EV certificates are issued by certificate authorities like GeoTrust only after they have verified the identity and legitimacy of the company. Most banks and major e-commerce sites now use EV certificates exclusively. In modern browsers, a green bar appears with the company name whenever you are viewing a website with an EV certificate. Look for the green bar to be sure you are on a legitimate, validated website.
This is how the green bar appears in Firefox 5.0. It looks slighly different in other browsers.
Is patient health information kept confidential?
Patient health information is kept strictly confidential at Crane. Prescription details are discussed with no one but the patient and the health practitioner who submitted the prescription. Crane's policies and procedures are fully compliant with all relevant federal and state regulations, including the HIPAA Privacy Rule.
What is HIPPA and the HIPAA Privacy Rule?
The HIPAA Privacy Rule is the primary federal law governing the security and privacy of your health information. It is part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which is enforced by the U.S. Department of Health & Human Services. The HHS website has extensive information about the HIPAA Privacy Rule and related regulations.