Putting patients and their personal information first
What does P2PE achieve for Children’s Healthcare of Atlanta?
CHOA: Due to the complexity of our hospital network, we wanted to implement a solution that would provide our customers with the most secure method of processing a payment card transaction at our 45 locations. We implemented a PCI-listed P2PE Solution to reduce the number of PCI DSS requirements that apply to our cardholder data environment (CDE), to secure our patients payment data and to mitigate the risk of a payment data breach.
Bluefin: To achieve their goal to down-scope and secure their payment systems, CHOA set two objectives: reduce the overall size of their cardholder data environment (CDE) and reduce the number of applicable PCI DSS requirements. Implementing our P2PE solution accomplished both of these objectives swimmingly. CHOA was able to remove entire networks from the scope of their PCI DSS assessment and qualify for the PCI P2PE Self-Assessment Questionnaire (SAQ) which has about 35 questions. When compared to SAQ D which has about 350 questions, CHOA was able to simplify their PCI compliance program by roughly 90%.
Why did you see it as important to choose a P2PE Solution that is PCI-listed?
CHOA: Through our due diligence researching a number of providers, we discovered that many are selling their own encryption solution, however, it’s not fully compliant from a PCI P2PE perspective unless it has been validated by the PCI Security Standards Council and listed on their website. Only PCI-listed solutions are recognized as meeting the requirements for merchants to reduce the scope of their PCI DSS assessment through the use of a P2PE Solution. Not only did we want the best security for our patients’ payment data but we also wanted the peace of mind that a PCI-listed P2PE Solution provides. PCI’s P2PE Solution listing allows us to rely on audited facts and not on sales gymnastics or promises of protection.
Bluefin: CHOA implemented an encryption solution to protect against malware attacks which are the primary causes of point of sale (POS) breaches. It is also important to have physical protection within the card reader so that it can detect and respond to tampering. PCI requires card readers used in P2PE Solutions to be validated as physically secure and requires chain of custody and asset tracking to be maintained throughout the card reader lifecycle.
Why did you opt for Bluefin’s P2PE Solution?
CHOA: We researched the PCI-listed P2PE Solution providers to clearly understand their respective technologies and from an integration perspective, how it would best fit into our current environment with the least amount of interruption to our business process. Bluefin’s hands-on approach and service level was key in our decision making process. Bluefin offered an array of device options and integration points that CHOA could implement while providing the most secure processing environment for the organization.
What technology or adoption issues did you have to overcome to implement P2PE?
CHOA: During project planning, we identified the largest potential roadblock for CHOA as the integration and deployment of the P2PE devices. With 45 locations housing various departments within each location, it really became a master project to ensure that we serviced all the areas within the organization that processed card data. As it turned out, the deployment of the P2PE devices
presented little to no challenge for us. And since employees were already trained to accept card data, using the new P2PE devices didn’t require much re-training.
Bluefin: One of PCI P2PE’s greatest benefits is that it gives the merchant their network back. CHOA used PCI P2PE to encrypt card data in card readers which devalued the card data at the point of entry. Since the card data was devalued it did not pull CHOA’s networks and POS systems into scope for PCI DSS transmission security requirements. PCI P2PE saved CHOA from having to overhaul their network topology and network technology across 45 locations, saving time and money.
How are you responding to the increasing number of data beaches in the medical community?
CHOA: This has been a major concern for CHOA and for the customers we serve, which is primarily one of the reasons for implementing the P2PE Solution throughout our organization. P2PE has provided CHOA with an additional level of security to ensure that our customers’ data is being handled properly and securely. There are hundreds of reported data breaches each year in
healthcare. At CHOA, we put our patients first which means that PCI-listed P2PE was an absolute must-have.