Ever increasing numbers of consumers use their mobile devices to shop and pay bills. Retailers and financial institutions have been prime data breach targets for quite a while. Many of those entities have been undertaking efforts for quite some time to address the Payment Card Industry (PCI) standards to ensure the security of their transactions and the protection of their customers’ credit/debit card information.
But most healthcare organizations lack the transactional volume that retailers have, which means that they may have flown “under the radar” and may not have received pressure to comply with PCI to this point. Further, over the last decade, the primary compliance focus of most healthcare entities has been on the Health Insurance Portability and Accountability Act (HIPAA). As a result, the healthcare industry hasn’t matured as quickly with respect to PCI compliance. Although healthcare organizations may not have received industry pressure to comply with PCI yet, if they store, process, or transmit credit card data, they still must adhere to the same standards as traditional retailers and financial institutions. With HIPAA compliance programs in place, healthcare companies are now focusing attention towards PCI 3.1 compliance.
Reducing the PCI Scope of Healthcare Payments
PCI scope reduction has been the biggest stumbling block for healthcare organizations so far. While PCI doesn’t require the use of network segmentation to reduce scope, it can be a very effective strategy to help ease the burden of compliance. However, implementing a segmentation strategy on a production network where it hasn’t previously been in place is very tricky. It requires lots of planning, testing, and coordination in order to minimize unplanned outages and downtime. However, healthcare entities should avoid allowing the daunting task of segmentation to inhibit their PCI compliance efforts. One way or another, card data should be protected.
According to the Verizon 2015 PCI Compliance Report, of the payment breaches it investigated over the past decade, not a single organization was PCI-compliant at the time of the breach incident.
And lest an organization think that PCI compliance is too costly, it needs to weigh the money saved by avoiding a breach via a strong PCI compliance program versus the investment in PCI compliance itself. The Verizon report noted that costs are reduced from $21 to $17 per breached record when a strong security program and formal incident response plan are in place.
Most organizations believe they’re more compliant than they actually are, and this includes compliance with the PCI requirements. Many jump the gun – working on compliance rather than evaluating risks and vulnerabilities first. Some of the best money an organization can spend is on a PCI gap assessment. In fact, these assessments often pay for themselves.
A PCI gap assessment walks clients through PCI controls to identify oversights or shortfalls in existing policies and practices. A plan is developed to address them, with priorities assigned based on guidance from the PCI Standards Council. Scoping is a big part of the gap assessment – paving the way for greater operational efficiencies and significantly increasing cost-savings and reducing overhead.
It would behoove every organization to conduct a risk assessment – even before the gap assessment – prior to implementing PCI compliance. A risk assessment serves as a blueprint from which everything else follows, including the gap assessment and PCI compliance – prioritizing issues from highest to lowest.
Organizations should work with a QSA to evaluate the status of their PCI compliance program. A QSA can help provide interpretive guidance related to the PCI requirements and can provide insights regarding how other similar entities have addressed certain challenges. Not utilizing a QSA when assessing PCI compliance posture often results in inaccurate assumptions regarding PCI requirements and scope, and can lead to time and effort being expended in the wrong areas. When gaps are identified, remediation should focus on addressing the key issues first. Ancillary issues should then be assessed and resolved. Doing so eases the path to more efficient PCI compliance. It also makes stakeholder buy-in easier for the organization. Unfortunately, many organizations undergo a risk assessment yet fail to follow through on an action plan to address identified risks.
The Quick Route to Reducing PCI Scope
Ideally, every organization, regardless of its industry, should follow the advice above. Conduct a risk assessment, remediate issues, and then conduct a PCI gap assessment, including PCI scoping, before addressing PCI compliance issues. The reality is not every organization can or will follow that advice for various reasons.
Barring your organization’s ability to work with a QSA, you should – at the very least – implement a validated Point-to-Point Encryption (P2PE) solution. It’s the simplest, most cost-effective way to reduce PCI scope and responsibility. In addition, it greatly reduces the likelihood of a breach of credit card data.
Ensure that Vendors Meet Compliance Standards
Healthcare organizations should be mindful of PCI compliance when utilizing vendors in their card processing environments. Where possible, vendors should have a QSA-validated PCI certification for their scope of work. If an organization is going to use a vendor to implement a new payment solution, it should ensure that the solution is P2PE-approved and certified by the PCI Council.
Take the vendor evaluation process a step further and ask for written confirmation from your card processor (usually a bank) – reaffirming that the solution is acceptable. Don’t engage a vendor or sign their contract until you’ve received confirmation of their validated P2PE and PCI compliance.
Validated P2PE solutions are listed on the PCI Council (PCI SSC) website. When in doubt, check that list for confirmation. Combining a validated P2PE solution with an EMV-enabled payment terminal helps to maintain data security throughout the payment lifecycle. The PCI Mobile Payment Fact Sheet is a good resource for additional information on what your solutions provider should cover as well as need-to-know information on P2PE devices.
If it’s too daunting a task, engage a qualified QSA to stay abreast of PCI Council changes/updates/regulations, and to obtain guidance and validation of planned compliance efforts. Undoubtedly, there will be more clarifications in the future from the PCI Council. We encourage all organizations to visit the PCI website for regular updates.
Stay the Course to Stay Compliant
One final piece of advice in attaining PCI compliance: You’ve heard us say it before and we’ll say it again. PCI compliance is not a “one and done” proposition. It’s an ongoing effort.
The Verizon report also cited that 80% of organizations failed their initial PCI compliance assessment in 2014. Just one in three adequately and routinely tested its cardholder data security controls in 2014. As a result, in less than a year, 71% were no longer compliant in 2014 – even after previously being deemed compliant.
All organizations, including those in healthcare, need to stay the course in order to stay compliant. You wouldn’t exercise and eat right for just one day – believing that it would keep you healthy for life. Why should your PCI compliance program be any different?