By Dr. Heather Mark
The healthcare industry is, as most know, a heavily regulated industry. Government regulations detail how data is to be collected, shared, and protected. It details how patients can access their data. The way that research is conducted, how it is reported and a multitude of other factors. Layering in the protection of payment card data can seem overwhelming. Particularly given the size and complexity of health care networks – physicians’ offices, laboratories, hospitals, and clinics. Fold in a sprinkling of online bill pay, as well, and one can see how the prospect of complying with the PCI DSS, as well as other regulatory mandates, can be overwhelming. But PCI DSS compliance can be made more manageable by employing scope reduction strategies.
First things first, though. What is scope reduction? To understand this, one must understand what is defined as the Cardholder Data Environment, or CDE. The CDE is defined by the Payment Card Industry Security Standards Council (PCI SSC) as the “people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. ‘System Components’ include network devices, servers, computing devices, and applications… [and] any other component or device located within or connected to the CDE.” So, the scope of the CDE is any device or person that has access to cardholder data and any device connected to that component. For many organizations, in healthcare and beyond, that scope can seem fairly daunting. The objective of scope reduction is to minimize the number of components that come into contact with the cardholder data. By reducing the number of components that contact cardholder data, an organization can reduce its scope. This serves the purpose of reducing the complexity of the CDE, the cost and complexity of the PCI DSS assessment, and the work factor involved in maintaining compliance.
So, how can an organization reduce their scope? The first step is to know where and how payments are accepted. Questions that can help in that process include:
- Where does your health system physically accept electronic payments?
- Front Desk
- Call Center
- Emergency Room
- Gift Shop
- How do you accept payments in these locations?
- In Person
- EHR Software
- Does your EHR system offer a secure payment integration?
- Does your payment integration support?
- Validated Point to Point Encryption
- Hosted Payment Page for secure online transactions
- Secure recurring billing and installment payments
It is also important to determine whether or not you have appropriately segmented your CDE to prevent bringing your entire organization into scope. In other words, if your payment environment is connected to your corporate environment, without firewalls, routers or other appropriate measures in place to act as a DMZ, you could end up having to manage PCI compliance for every part of your network. Per the PCI DSS, “Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”
Another strategy that can be employed to reduce the scope of the CDE is to reduce the number of cardholder data touchpoints in the environment. The more the input of cardholder data can be reduced, the greater the level of scope reduction. Any number of solutions can be employed, but here is a brief description of the most effective means* of reducing interaction with cardholder data:
- Hosted Payment Pages – merchants can accept payments through the use of a hosted payment page. The Payment Page is hosted by a PCI DSS validated, registered service provider. The payment information posts directly from the consumer to the service provider, bypassing the environment of the healthcare provider.
- Tokenization – in this solution, the payment information is replaced with a randomly generated value that used to represent the payment mechanism. The healthcare provider can still use that token to process subsequent payments, as may be useful for patients on payment plans, reporting purposes, patient payment analysis, and chargeback or dispute purposes. The benefit here is the reduced payment data footprint within the organization.
- PCI Validated Point to Point Encryption (P2PE) – a P2PE solution is one in which the cardholder data is encrypted from the point of interaction (swipe, dip, entry) all the way through the processor. The payment is processed, but when the authorization response is sent to the healthcare organization, the payment data is replaced with a token.
As technology continues to evolve and healthcare organizations find new ways to connect with and serve their patients and communities, it is important to remain mindful of the potential risks that those new technologies may present. By implementing the above solutions, healthcare providers may find a strong balance between patient service and data security.
*The amount of scope reduction benefit for each of these solutions can vary depending upon the specific environment and the way in which they are implemented. It is highly suggested that all organizations consult with their Qualified Security Assessor (QSA) and/or their Acquiring Bank to determine the exact nature of the benefit afforded by these solutions.
Sphere’s partnership with Qgiv advances its software strategy in the charitable giving and nonprofit sector.
NASHVILLE, Tenn. (April 23, 2019)—Sphere, the leading provider of end-to-end integrated payments and security software, today announced it has made a strategic investment in Qgiv, Inc., (Qgiv) a provider of cloud-based fundraising software that facilitates payments as part of its solution for nonprofit and charitable organization fundraising. This partnership advances Sphere’s strategy to integrate deeply within high-growth core vertical markets by surrounding its current payments offerings in the nonprofit vertical with leading software.
Qgiv provides a variety of digital fundraising tools for nonprofit and faith-based organizations, including online donation forms, event registrations, peer-to-peer fundraising, text-based fundraising and messaging tools, giving kiosks, a donor-facing giving app, and more—all of which are easily managed from one control panel.
“Qgiv strategically complements Sphere’s growth initiatives to enhance technology that facilitates payments in more innovative and secure ways,” said Steve Rizzuto, chief executive officer of Sphere. “Their path to continued growth aligns with Sphere’s strengths in integrated, secure payment solutions.”
“The addition of Qgiv to the Sphere family of companies significantly advances our strategy of integrating key software applications to our core payments offering, in this case in the nonprofit and charitable giving sector,” said Andrew Rueff, executive chairman of Sphere. “Todd Baylis, chief executive officer and co-founder, and his team have established Qgiv as a leading software company in a highly attractive vertical market, and they have a reputation for delivering innovative software solutions. This aligns very well with Sphere’s core values and strategy.”
“We’re excited to partner with Sphere and truly believe that their platform, roadmap and extensive knowledge of integrated payments will ultimately provide great benefits to the customers we work with and the nonprofit market as a whole,” said Baylis of Qgiv. “We look forward to partnering with Andrew, Steve and the Sphere team to continue to improve and iterate Qgiv’s online fundraising platform based on customer feedback and solving the needs of our current and future customers.”
For more information on Sphere, please visit http://www.spherecommerce.com.
Sphere, powered by TrustCommerce technology, is a leading provider of end-to-end integrated payments, security software, payments gateway and merchant acquiring products and services. Sphere serves large, complex enterprises and small local businesses across a range of vertically oriented end-markets, including healthcare, education, parking, insurance and nonprofit. Sphere’s integrated payments technology and security software enable its clients to process payments in a way that is: highly secure and compliant, integrated with their core business software, omnichannel, and processor-neutral. Sphere’s partner-centric focused payments solutions serve small, midsize and enterprise level businesses and software companies in the U.S., Canada, and Australia.
About Qgiv, Inc.
Qgiv, Inc. is a leading online fundraising platform founded in 2007. From their base in Lakeland, FL, they currently serve more than 3,000 nonprofit organizations in the United States and Canada. Qgiv’s aim is to help nonprofits raise more by anticipating and addressing their needs and challenges through customer-informed development and close attention to industry best practices. They offer no-contract pricing, unlimited access to tools and support, and integrations with industry-leading donor management and CRM software to make it easy for nonprofits to experiment with new technology and grow their digital fundraising programs. To learn more, please visit https://www.qgiv.com.
By Dr. Heather Mark
On March 19, 2019, well-known and respected security researcher and reporter Brian Krebs, posted an article with the headline, “FaceBook Stored Hundreds of Millions of User Passwords in Plain Text for Years.” The article states, “According to Krebs, “The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees.” With that in mind, think about how many accounts you have linked to Facebook.
The news is a constant parade of security breaches in which user names and passwords are compromised. It is easy for people to become numb to that, or to think that it’s “only” a username and password, not financial data. But how many of us use the same password, or a close variation, for several of our accounts, including our work passwords? Take a look at this list of security breaches, and think about how many of those impact you, and how many times you recycled passwords for those accounts.
Though it can be convenient, reusing passwords does put you at risk for further compromise. As criminals have become more sophisticated, they’ve taken to aggregating data collected from various breaches and extrapolating it to compromise accounts that you might not even know were in danger. Do you use the same password for social media as you do for your bank account? You might not be concerned if your social media password was compromised, but what if the hacker were able to discern your bank or financial institution? Have you ever posted a complaint or comment about your bank? Do you check into your office on social media?
We’ve all read the stories about people using “password 123” or “changeme!” for their passwords. Not only are those easy to crack, but they’re painfully ubiquitous. Here are some quick, easy tips for creating a strong password:
- Use phrases – think about a line from a favorite book, movie or song. Sometimes, that can actually be easier to remember and it’s inherently more complex. Particularly if it uses punctuation.
- Use “special” characters – When we think of “special” characters, we tend to default to the “!” or the “*”. They’re easy to remember. But the poor semi-colon (“;”) is woefully underused. As is ampersand (“&”) and the tilde (“~”). Think creatively about which special characters you’re using in your password and how you’re using them. For example, you can combine special characters to make emoticons.
- Mix up numbers and letters – a creative mix of numbers and letters can make a password more difficult to guess. Try not to make obvious substitutions, such as using a ‘”3” instead of an “e”.
- Use capital and lowercase letters – mix up your use of capital and lower case letters. You don’t have to follow grammatical conventions when creating strong passwords. You don’t have to start a name with a capital letter.
Another important reminder is to change your password regularly. It can be easy to forget that, particularly in the age of biometric authentication. One trick that I use is to set a calendar reminder to change my passwords. You can choose every 30, 60, or 90 days, but it’s best not to go past the 90 day mark.
It can be hassle to come up with and remember new passwords every 90 days, but using new, unique passwords is an important tool to protect yourself and your business. It pays to be smart!
Daryl Seaman joins Sphere as CIO bringing 35 years of leadership excellence.
NASHVILLE, Tenn. (March 22, 2019) — Sphere, the leading provider of end-to-end integrated payments and security software, today announced that Daryl Seaman has joined the company as Chief Information Officer. In this role, Mr. Seaman will lead the Information Technology group, overseeing all aspects of new development. He will also be responsible for maintaining the integrity of production processing in a secure operating environment and providing world-class support services to our clients.
Mr. Seaman is a 35-year veteran of the payments industry, having served in executive Information Technology roles at two of the largest acquirers, First Data Corporation and TSYS. His areas of expertise include operational excellence, large-scale conversions/integrations, and organizational capability.
“Daryl’s proven track record in increasing an organization’s capability and capacity and his commitment to excellence will be instrumental to the growth of Sphere,” said Steve Rizzuto, Chief Executive Officer of Sphere. “He is a tremendous addition to the leadership team.”
“It is an honor to be a part of Sphere,” said Mr. Seaman. “Combining the industry experience of our leaders with the outstanding reputation of TrustCommerce technology will provide opportunities for growth in the fast-paced payments industry.”
In his career, Mr. Seaman has supported issuing and acquiring business units, led some of the industry’s largest conversion projects and managed both new development and support organizations, as well as overseas assignments for international business expansion.
Sphere, powered by TrustCommerce technology, is a leading provider of end-to-end integrated payments, security software, payments gateway and merchant acquiring products and services. Sphere serves large, complex enterprises and small local businesses across a range of vertically oriented end-markets, including healthcare, education, parking, insurance and non-profit. Sphere’s integrated payments technology and security software enable its clients to process payments in a way that is: highly secure and compliant, integrated with their core business software, omni-channel, and processor-neutral. Sphere’s partner-centric focused payments solutions serve small, midsize and enterprise level businesses in the U.S., Canada, and Australia.
Sphere, the leading provider of end-to-end integrated payments and security, welcomes new partner Dr. Leonardo Interactive Web Services.
Through this strategic partnership, Dr. Leonardo will offer healthcare providers websites for their practices that can integrate with Sphere’s online payment functionality. This allows patients to pay outstanding medical bills, such as deductibles and copays, in a secure and convenient way.
Pew Internet Research studies indicate that 81% of Americans search for individual healthcare providers online, with many of them seeking to make payment for outstanding medical bills using their credit cards. Dr. Leonardo’s eHealth Internet Presence platform allows doctors to create a personal PROVIDER-Site™ with appointment scheduling, patient portal access, education materials and now, online bill payment using Sphere’s secure technology.
By Dr. Heather Mark
In the wake of yet another massive data breach, media outlets around the world are asking a lot of questions. More questions, it seems, than are the victims of the data breach. People seem to have become numb to loss of sensitive data. But while individuals seem to carry on as though nothing has changed, businesses need to be cognizant of the consequences of data breach, beyond simply the penalties associated with a violation of the PCI DSS. The consequences of data breach can be swift and severe. In fact, a class action suit has already been filed against Marriott stating that the breach should have been detected four years ago. Further, companies that fall victim to hackers can expect to play host to government regulators, state attorney generals, forensic investigators and other third parties for a significant length of time. So what is a company to do to protect its data?
I once had a self-proclaimed “grey hat hacker” tell me, “your company has to find and fix every single hole in the environment. I just need to find one. And I’ll spend 24/7 to do it.” That demonstrates the reality that data security in the online world, our world, can be a tremendous task. However, as with all types of crime, there are methods that can be employed to increase the work factor for criminals in compromising your environment and to make your business a hard, or at least a harder, target. Those criminals looking for just an “opportunity” may determine that there are easier targets and move on.
The most obvious step to be taken is compliance with the PCI DSS. The Standard has been in place since 2006 and serves as an excellent baseline of security. All companies that store, process, or transmit cardholder data (or can otherwise impact the security of the transaction) must comply with the Standard. Though compliance must be validated once a year, it is important to maintain compliance throughout the year through the implementation of a robust compliance monitoring program. It will require ongoing management to ensure that a company doesn’t inadvertently fall out of compliance without taking a corrective action. Further, failing to comply can result in financial penalties. It’s important to note, though, that PCI DSS only applies to credit and debit card numbers. Its scope does not include any other form of potentially sensitive information.
As we’ve seen from countless headlines, data breaches don’t just involve payment card numbers. They often include data such as email addresses, usernames, passwords, physical addresses, social security numbers and other similarly sensitive data that aren’t contemplated by the PCI DSS. What should companies do then? Well, the PCI DSS still serves as a useful launching pad. But before determining how far to extend those protections and controls enumerated in that standard, it helps to conduct and exercise known as a data inventory.
Simply put, a data inventory is an exercise in which each functional area of the company examines the data that it uses and why, how it’s collected, stored and shared, and how the data is destroyed or disposed of when it’s no longer needed. These exercises can be eye-opening and are extremely useful. It is not uncommon to unearth data collection or use practices that were not widely known in the organization. These data knowledge gaps can lead to critical holes in the control environment, exposing companies to risks of which there were not even aware. More importantly, it can help organizations make informed, risk-based decisions about the type of information that it collects (i.e. do we, as an organization, need to collect this data element to fulfill our business objectives? If so, what types of protections must we afford that data? Is it ultimately worth the investment?) Once the data inventory is complete, you may find it helpful to see how or if it is feasible to extend PCI DSS controls that are already in place to cover these additional data elements and the larger data environment.
Further, it may be discovered during this inventory, that the organization may have additional regulatory obligations as a result of the data it collects. For example, is the company storing data related to healthcare, education, or financial accounts? Doing the inventory can assist and support the organization in its regulatory risk assessment. Proactively identifying potential compliance gaps is always better than having such gaps identified by auditors, regulators, or clients. If these additional regulatory obligations are discovered, it can be helpful to map controls between those PCI requirements that the organization is meeting to the newly identified regulatory requirements. There will still be gaps to be addressed, but by extending the PCI DSS control environment, organizations may be able to significantly reduce the cost of expanding those protections to other forms of data and other data environments.
Granted, the discussion presented here is more nuanced and robust than the constraints of a blog post may allow, but it does provide us all food for thought. If the only data that is possessed by an organization is payment card data, then perhaps PCI DSS compliance is sufficient protection. However, such an organization, to use the popular language of the day, is something of a unicorn. Most organizations host a wide variety of data – data that is regulated and data that a company may simply want to protect, such as proprietary code, formulas, or business plans. For those organizations, compliance with PCI DSS is just the tip of the iceberg. I’ll leave you with this direct quote from the PCI DSS v 3.2.1: “PCI DSS comprises a minimum set of requirements for protecting account data, and may be enhanced by additional controls and practices to further mitigate risks, as well as local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personal information or other data elements (for example, cardholder name). PCI DSS does not supersede local or regional laws, government regulations, or other legal requirements.”
Payments industry veteran Bauer will guide product strategy across all Sphere platforms to shape Sphere’s ongoing initiatives around secure payment processing.
NASHVILLE, Tenn. (February 8, 2019) —Sphere, the leading provider of end-to-end integrated payments and security software, hired payments industry veteran, Curtis Bauer to lead the company’s product strategy, project management office, solutions engineering and client implementation teams.
“Curtis is known for his analytical vision and for solving challenging problems, by leveraging collaborative and innovative approaches,” said Steve Rizzuto, Chief Executive Officer of Sphere. “Given the complex and rapidly changing payments ecosystem we operate in today, we are confident that he will be integral in the execution of our long term growth strategy.”
“The addition of Curtis builds on the foundation of industry leading executive talent that we have assembled at Sphere,” said Andrew Rueff, Executive Chairman of Sphere. “Curtis will contribute significantly to our operating and execution capabilities in the key integrated payments verticals that we serve. I am excited to have Curtis join our executive leadership team.”
Bauer has more than 20 years of payments experience and has held leadership roles in two of the top 10 Payment Acquirers in the United States. He brings in-depth experience in Corporate Strategy, Product Implementation, Call Center Management, Relationship Management, Inbound Sales, Project Management, Sales/Solutions Engineering and Developer Services.
“In this period of industry growth and transformation, I’m thrilled by the opportunity to be a part of the Sphere leadership team, which is comprised of experienced industry veterans, to leverage Sphere’s capabilities and technology. Sphere’s core product set has always had a strong foundation around payment card security, which has never been more vital in today’s ultra-connected commerce,” said Bauer.
Bauer’s hire comes at a pivotal point in Sphere’s expansion, which has seen significant investments across all areas of the organization.
Sphere, powered by TrustCommerce technology, is a leading provider of end-to-end integrated payments, security software, payments gateway and merchant acquiring products and services. Sphere serves large, complex enterprises and small local businesses across a range of vertically oriented end-markets, including healthcare, education, parking, insurance and non-profit. Sphere’s integrated payments technology and security software enable its clients to process payments in a way that is: highly secure and compliant, integrated with their core business software, omnichannel, and processor-neutral. Sphere’s partner-centric focused payments solutions serve small, midsize and enterprise level businesses in the U.S., Canada, and Australia.
Event Schedule 2019
The Sphere teams will be exhibiting at a variety of payments and industry events. Come visit us! We have exciting news to share about our products and services.
February 11-15 | Orlando
February 14-15 | Las Vegas
February 27-March 3 | Las Vegas
ACN International Training Event
March 9-11 | Sydney
ACN International Training Event
March 29-31 | Charlotte, NC
Collaboration of Revenue Cycle Epic Users (CORE) East
April 10-12 | Pittsburgh
OCHIN Learning Forum
April 16-18 | Portland