The importance of healthcare payment systems being fully descoped from PCI DSS

Here at Eckoh I primarily work with organizations in the healthcare sector, so I understand the particular challenges that healthcare providers face when it comes to protecting their customers’ sensitive data.

The sheer volume of highly sensitive personal and financial data processed by healthcare organizations makes them very attractive targets for cybercriminals. However, while almost all healthcare providers understand the need for robust cyber security strategies, I have found that PCI DSS (Payment Card Industry Data Security Standard) compliance often isn’t as high of a priority. This is a dangerous oversight, for reasons that I’ll talk about in this blog. 

The problem with partial PCI DSS solutions

One common mistake that I often see healthcare providers make is adopting partial solutions, such as ‘pause and resume’ or an IVR system, and thinking these will bring them in line with PCI DSS requirements. The reality, however, is that these solutions often mean that critical parts of their environment remain within the PCI scope, leaving sensitive data and the entire organization at risk.

At first glance, a solution such as ‘pause and resume’ seems to be a simple, cost-effective way of minimizing your compliance burden. While this might reduce exposure of certain data and make your call recordings compliant, it does not address the core issue - the need to fully descope your contact center from PCI DSS requirements.

Why? Because while the recording system may no longer capture cardholder data, many other parts of your contact center infrastructure remain exposed. Agents, desktop applications, your VOIP network, internal servers, and even network storage systems may inadvertently store, access, or transmit payment information, leaving your environment within PCI scope.  With an IVR, although your agents themselves aren’t exposed to customer card data, your VoIP network, Automatic Call Distributor (ACD), etc. are still in scope for PCI DSS.  On top of that, I think we can all agree that an IVR doesn’t provide the optimal customer experience. We've found that patients, when providing payments or making decisions about their own or a loved one's health, prefer to speak to a real person when navigating the healthcare system.

Misplaced priorities: cyber security vs. PCI DSS

Healthcare providers, like many others, invest significantly in cyber security measures such as endpoint detection and response, firewalls, and threat detection. While these efforts are essential, viewing PCI DSS compliance as the ‘poor relation’ of cyber security is shortsighted. Non-compliance or partial compliance exposes your organization to significant financial and reputational risks.

Additionally, compliance and security are not the same thing. You can comply with PCI DSS but not be secure! Organizations opt for ‘partial’ PCI solutions, often because they may appear cheaper at the point of purchase. 

For example, I worked with an organization that set up an interactive IVR system to take payments. The solution was sold to the organization as something that would resolve PCI compliance - and that was partially true. However, it wasn’t a full descoping solution. When the organization was audited, they discovered that card data was still crossing their VOIP network, meaning they remained in scope for PCI DSS and this left holes in their compliance and security strategy. 

We see this all too often. Organizations try to cut costs and implement a solution only to find out it doesn’t give them the coverage they need. They spend months of time and resources on a band-aid solution, only to find out a year or two later they have to rip it out and start over.  They could have fully descoped their organization with a robust solution from the beginning, saving them time, resources, and money. 

Fully descope: the smarter, safer solution

Rather than adopting a quick-fix solution, it's far more effective to invest in a comprehensive system that fully eliminates payment data from your environment. By using Eckoh’s solutions, you can completely remove your contact center from the scope of PCI DSS. This approach not only minimizes risk but also significantly reduces the time, effort, and cost required to maintain compliance. 

The long-term benefits of a fully descoped solution far outweigh the initial investment. Your healthcare organization’s contact center customer data will be protected against data breaches, fraud, and potential non-compliance penalties. More importantly, by adopting a secure payment system from the outset, you avoid the costly process of having to deploy a second, more robust solution down the road - something I have seen far too many companies struggle with.

Why healthcare providers need to prioritize PCI DSS compliance

Safeguarding patient data is a huge priority for healthcare providers. A data breach that compromises payment or other personal information can erode patient trust, damage your organization’s reputation, and lead to severe financial penalties - things your healthcare providers cannot afford. 

By fully descoping from PCI DSS compliance from the start, your organization demonstrates a commitment to data security, not only protecting your patients but also maintaining your reputation as a trustworthy healthcare provider.

Don’t take shortcuts on security

At Eckoh, we specialize in providing secure, PCI-compliant payment card systems tailored to the needs of our customers. If you’re ready to secure your payment systems and ensure full PCI DSS compliance, contact us today to learn how we can help.