PCI has released its second case study on Bluefin’s PCI-validated P2PE solution. This case study explores the implementation of the Bluefin solution by Children’s Healthcare of Atlanta (CHOA), the benefits they have received, and the value of PCI-validated P2PE to their organization.
What does P2PE achieve for Children’s Healthcare of Atlanta?
CHOA: Due to the complexity of our hospital network, we wanted to implement a solution that would provide our customers with the most secure method of processing a payment card transaction at our 45 locations. We implemented a PCI-listed P2PE Solution to reduce the number of PCI DSS requirements that apply to our cardholder data environment (CDE), to secure our patients payment data and to mitigate the risk of a payment data breach.
Bluefin: To achieve their goal to down-scope and secure their payment systems, CHOA set two objectives: reduce the overall size of their cardholder data environment (CDE) and reduce the number of applicable PCI DSS requirements. Implementing our P2PE solution accomplished both of these objectives swimmingly. CHOA was able to remove entire networks from the scope of their PCI DSS assessment and qualify for the PCI P2PE Self-Assessment Questionnaire (SAQ) which has about 35 questions. When compared to SAQ D which has about 350 questions, CHOA was able to simplify their PCI compliance program by roughly 90%.
Why did you see it as important to choose a P2PE Solution that is PCI-listed?
CHOA: Through our due diligence researching a number of providers, we discovered that many are selling their own encryption solution, however, it’s not fully compliant from a PCI P2PE perspective unless it has been validated by the PCI Security Standards Council and listed on their website. Only PCI listed solutions are recognized as meeting the requirements for merchants to reduce the scope of their PCI DSS assessment through the use of a P2PE Solution. Not only did we want the best security for our patients’ payment data but we also wanted the peace of mind that a PCI-listed P2PE Solution provides. PCI’s P2PE Solution listing allows us to rely on audited facts and not on sales gymnastics or promises of protection.
Bluefin: CHOA implemented an encryption solution to protect against malware attacks which are the primary causes of point of sale (POS) breaches. It is also important to have physical protection within the card reader so that it can detect and respond to tampering. PCI requires card readers used in P2PE Solutions to be validated as physically secure and requires chain of custody and asset tracking to be maintained throughout the card reader lifecycle.
Read more. Download the case study.