PCI and Healthcare Providers: How Can I Reduce My Scope?

By Dr. Heather Mark

The healthcare industry is, as most know, a heavily regulated industry. Government regulations detail how data is to be collected, shared, and protected.  It details how patients can access their data.  The way that research is conducted, how it is reported and a multitude of other factors.  Layering in the protection of payment card data can seem overwhelming.  Particularly given the size and complexity of health care networks – physicians’ offices, laboratories, hospitals, and clinics.  Fold in a sprinkling of online bill pay, as well, and one can see how the prospect of complying with the PCI DSS, as well as other regulatory mandates, can be overwhelming.  But PCI DSS compliance can be made more manageable by employing scope reduction strategies.

First things first, though.  What is scope reduction?  To understand this, one must understand what is defined as the Cardholder Data Environment, or CDE.  The CDE is defined by the Payment Card Industry Security Standards Council (PCI SSC) as the “people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.  ‘System Components’ include network devices, servers, computing devices, and applications… [and] any other component or device located within or connected to the CDE.”  So, the scope of the CDE is any device or person that has access to cardholder data and any device connected to that component.  For many organizations, in healthcare and beyond, that scope can seem fairly daunting.  The objective of scope reduction is to minimize the number of components that come into contact with the cardholder data.  By reducing the number of components that contact cardholder data, an organization can reduce its scope. This serves the purpose of reducing the complexity of the CDE, the cost and complexity of the PCI DSS assessment, and the work factor involved in maintaining compliance.

So, how can an organization reduce their scope?  The first step is to know where and how payments are accepted.  Questions that can help in that process include:

  1. Where does your health system physically accept electronic payments?
  • Registration
  • Front Desk
  • Call Center
  • Pharmacy
  • Parking
  • Radiology
  • Emergency Room
  • Gift Shop
  1. How do you accept payments in these locations?
  • In Person
  • Online
  • Kiosk
  • Mobile
  • IVR
  • EHR Software
  • Other
  1. Does your EHR system offer a secure payment integration?
  • Yes
  • No
  1. Does your payment integration support?
  • Tokenization
  • Validated Point to Point Encryption
  • Hosted Payment Page for secure online transactions
  • Secure recurring billing and installment payments

It is also important to determine whether or not you have appropriately segmented your CDE to prevent bringing your entire organization into scope.  In other words, if your payment environment is connected to your corporate environment, without firewalls, routers or other appropriate measures in place to act as a DMZ, you could end up having to manage PCI compliance for every part of your network. Per the PCI DSS, “Without adequate network segmentation (sometimes called a “flat network”) the entire network is in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists, or other technologies that restrict access to a particular segment of a network. To be considered out of scope for PCI DSS, a system component must be properly isolated (segmented) from the CDE, such that even if the out-of-scope system component was compromised it could not impact the security of the CDE.”

Another strategy that can be employed to reduce the scope of the CDE is to reduce the number of cardholder data touchpoints in the environment.  The more the input of cardholder data can be reduced, the greater the level of scope reduction.  Any number of solutions can be employed, but here is a brief description of the most effective means* of reducing interaction with cardholder data:

  • Hosted Payment Pages – merchants can accept payments through the use of a hosted payment page. The Payment Page is hosted by a PCI DSS validated, registered service provider.  The payment information posts directly from the consumer to the service provider, bypassing the environment of the healthcare provider.
  • Tokenization – in this solution, the payment information is replaced with a randomly generated value that used to represent the payment mechanism. The healthcare provider can still use that token to process subsequent payments, as may be useful for patients on payment plans, reporting purposes, patient payment analysis, and chargeback or dispute purposes.  The benefit here is the reduced payment data footprint within the organization.
  • PCI Validated Point to Point Encryption (P2PE) – a P2PE solution is one in which the cardholder data is encrypted from the point of interaction (swipe, dip, entry) all the way through the processor. The payment is processed, but when the authorization response is sent to the healthcare organization, the payment data is replaced with a token.

As technology continues to evolve and healthcare organizations find new ways to connect with and serve their patients and communities, it is important to remain mindful of the potential risks that those new technologies may present.  By implementing the above solutions, healthcare providers may find a strong balance between patient service and data security.

*The amount of scope reduction benefit for each of these solutions can vary depending upon the specific environment and the way in which they are implemented.  It is highly suggested that all organizations consult with their Qualified Security Assessor (QSA) and/or their Acquiring Bank to determine the exact nature of the benefit afforded by these solutions.