P2PE devices In healthcare
Blog
28 Jun 2024
Jesus Torres, Senior Account Executive at Eckoh, highlights how encrypted PIN pads fall short for card-not-present transactions, exposing healthcare environments to PCI DSS risks.
In the healthcare industry, encrypted PIN pads (also known as POI devices or point-to-point encryption (P2PE) devices) are widely used as a way of enabling departments and/or business units’ representatives to take payment from patients.
These devices are primarily designed as a way of taking payments when the cardholder is physically present. The PCI Standards Council suggests that, when used in this way, a POI device can remove significant parts (but not all) of a merchant’s cardholder environment from PCI scope.
However, from my experience working with many healthcare organizations, I’d estimate that as many as 90% of the companies that I speak to are using POI devices as a way for card data to be entered directly by the healthcare representative for card-not-present transaction/over the phone payments. It is important to understand that, when used this way for card not present (CNP) payments, very significant amounts of your environment remain in scope for PCI DSS.
When a patient makes a payment over the phone, they read out their card numbers and the agent enters them into the PIN pad on their behalf. When used this way these POI devices provide only partial security. The cardholder data transmission from the agent's entry point to the payment service provider is indeed encrypted. However, the issue is that while the transmission is encrypted, the card data is still exposed within the overall healthcare environment. The agent can hear the credit card information as the caller reads it out, and it traverses the telephony, network and internal systems unencrypted before reaching the PIN pad.
This exposure means that, despite using POI devices, the environment remains in scope for PCI DSS compliance, presenting a significant security risk, as well as meaning that the merchant has to engage in a complex and expensive PCI auditing process. And there are other complexities. For example, if the organization is recording its calls, then it would need to consider how to ensure that the calls are paused and cardholder data is not being recorded as it is being spoken by the cardholders, otherwise the call recording is also then in scope.
An Eckoh client who recently switched from using POI devices to using Eckoh’s CallGuard solution for phone based payments explains just how much of a challenge dealing with this issue can be.
“All calls were recorded, and the process was to manually pause and resume the recording while accepting cardholder data (CHD) over the phone. During an audit it was determined that some recordings were not paused, resulting in archived or stored CHD. This started a whole new process of auditing recorded calls each day to ensure CHD was removed or scrubbed from our servers and that proper training and coaching sessions were accommodated for the users responsible for the incidents. This was a major risk and after working with a QSA we were able to determine that the average cost of one of those recordings getting breached would cost us $44,000 in communications, additional audits, potential fines or fees, loss of reputation and so on.”
In addition to the security issues that these POI devices present, they also come with significant costs and maintenance issues. Each agent requires their own POI device, which comes at a cost and then requires ongoing maintenance, as well as replacement costs if the device is lost or needs to be replaced for any reason. Additionally, POI devices are not flexible for remote work which is now a new working model after the pandemic, adding further complications. There is also a significant amount of administration required from a PCI compliance perspective. The organization needs to maintain an accurate an up-to-date list of these devices, they must be periodically inspected to look for tampering or unauthorised access, and personnel need to be trained to be aware of suspicious behavior and report tampering or unauthorised substitution of devices.
Our client explains how these costs mount up.
“Every agent that accepted payments over the phone had an encrypted POI device assigned to them. These devices were powered up 24/7 and utilized electricity and data in our environment. These devices required periodic inspections and troubleshooting/replacement when they stopped working. Each occurrence of these situations cost an average of $225 with time, loss of payment collections, and resources required to correct the situation. All of these costs could be eliminated by the Eckoh CallGuard solution.”
By switching to Eckoh’s CallGuard solution all these problems are immediately solved. With CallGuard, patients enter their card details using their telephone keypad or via secure speech, a functionality that can be leveraged with CallGuard. The DTMF tones are masked, and the agent is not exposed to the card details in any way (and neither is the telephony, network or call recording). The data remains protected and secured throughout the entire transaction – from initial intake to processing the payment with the payment service provider. There’s no requirement for additional devices, solutions or work arounds so the associated cost of running and maintaining several solutions are removed.
CallGuard ensures complete removal of card data from the environment, enhancing security and reducing PCI DSS compliance scope. Many healthcare organizations today are now leveraging CallGuard for telephone payment security and compliance because of its non-intrusive and flexible nature. Healthcare organizations can continue to leverage their telephony carriers, payment process and payment service vendors. It is business as usual. CallGuard places a security layer around their environment to ensure security and PCI DSS compliance.
Data breaches in healthcare are rising at a dizzying rate. In 2021 45.9 million healthcare records were breached, In 2022 this number rose to 51.9 million and in 2023 it jumped again to a staggering 133 million records. Healthcare organizations are under constant threat and cannot afford to take any chances with the security of their patients’ data. By using CallGuard your healthcare organization can benefit, safeguarding both your patients’ sensitive information and your business’s reputation.
Let’s discuss further how we can help you have a better security and compliance stance using CallGuard and give your organization peace of mind.
Jesus Torres
Senior Account Executive
If you’re looking to tighten internal PCI DSS and compliance measures and step up the game as it relates to your customers’ payments security, check out Eckoh’s site to see how the likes of dozens of Fortune 500 companies utilize Eckoh to completely descope of PCI DSS information and future proof their infrastructures from a potential data breach.
