P2PE devices In healthcare

When a patient makes a payment over the phone, they read out their card numbers and the agent enters them into the PIN pad on their behalf. When used this way these POI devices provide only partial security. The cardholder data transmission from the agent's entry point to the payment service provider is indeed encrypted. However, the issue is that while the transmission is encrypted, the card data is still exposed within the overall healthcare environment. The agent can hear the credit card information as the caller reads it out, and it traverses the telephony, network and internal systems unencrypted before reaching the PIN pad.

This exposure means that, despite using POI devices, the environment remains in scope for PCI DSS compliance, presenting a significant security risk, as well as meaning that the merchant has to engage in a complex and expensive PCI auditing process. And there are other complexities. For example, if the organization is recording its calls, then it would need to consider how to ensure that the calls are paused and cardholder data is not being recorded as it is being spoken by the cardholders, otherwise the call recording is also then in scope.

An Eckoh client who recently switched from using POI devices to using Eckoh’s CallGuard solution for phone based payments explains just how much of a challenge dealing with this issue can be.

“All calls were recorded, and the process was to manually pause and resume the recording while accepting cardholder data (CHD) over the phone. During an audit it was determined that some recordings were not paused, resulting in archived or stored CHD. This started a whole new process of auditing recorded calls each day to ensure CHD was removed or scrubbed from our servers and that proper training and coaching sessions were accommodated for the users responsible for the incidents. This was a major risk and after working with a QSA we were able to determine that the average cost of one of those recordings getting breached would cost us $44,000 in communications, additional audits, potential fines or fees, loss of reputation and so on.”

In addition to the security issues that these POI devices present, they also come with significant costs and maintenance issues. Each agent requires their own POI device, which comes at a cost and then requires ongoing maintenance, as well as replacement costs if the device is lost or needs to be replaced for any reason. Additionally, POI devices are not flexible for remote work which is now a new working model after the pandemic, adding further complications. There is also a significant amount of administration required from a PCI compliance perspective. The organization needs to maintain an accurate an up-to-date list of these devices, they must be periodically inspected to look for tampering or unauthorised access, and personnel need to be trained to be aware of suspicious behavior and report tampering or unauthorised substitution of devices.

Our client explains how these costs mount up.

“Every agent that accepted payments over the phone had an encrypted POI device assigned to them. These devices were powered up 24/7 and utilized electricity and data in our environment. These devices required periodic inspections and troubleshooting/replacement when they stopped working. Each occurrence of these situations cost an average of $225 with time, loss of payment collections, and resources required to correct the situation. All of these costs could be eliminated by the Eckoh CallGuard solution.”