The 834 transaction for Health Insurance Exchanges (5010X307) has two situational segments in Loop 2000 that support Credit/Debit Card data - 1) REF Credit/Debit Card Information and 2) DTP Credit Card Expiration Date. We are asking for clarification (or business case) with respect to the data in the segment REF Credit/Debit Card Number REF02 Reference Identifier (Credit Card Number) and REF04-02 Reference Identifier (Card Security Code) being permitted as the transfer and storage of Credit Card information in an EDI transaction, may cause a health plan to have issues if audited for Payment Card Industry Data Security Standards (PCI-DSS).
The capability to transmit enrollee payment data was added to the X307 as the result of a request from health plans and upon confirmation that several states, intending to setup a state-based exchange, were able to share the data with issuers.
Entities using the transaction to transmit such data are responsible for adhering to other standards and regulations outside of the transaction. The TR3 has no purview over how senders and receivers of the data treat the data outside of the transaction itself.