In the healthcare industry, encrypted PIN pads (also known as POI devices or point-to-point encryption (P2PE) devices) are widely used as a way of enabling departments and/or business units’ representatives to take payment from patients.

These devices are primarily designed as a way of taking payments when the cardholder is physically present. The PCI Standards Council suggests that, when used in this way, a POI device can remove significant parts (but not all) of a merchant’s cardholder environment from PCI scope.

However, from my experience working with many healthcare organizations, I’d estimate that as many as 90% of the companies that I speak to are using POI devices as a way for card data to be entered directly by the healthcare representative for card-not-present transaction/over the phone payments. It is important to understand that, when used this way for card not present (CNP) payments, very significant amounts of your environment remain in scope for PCI DSS.

When a patient makes a payment over the phone, they read out their card numbers and the agent enters them into the PIN pad on their behalf. When used this way these POI devices provide only partial security. The cardholder data transmission from the agent's entry point to the payment service provider is indeed encrypted. However, the issue is that while the transmission is encrypted, the card data is still exposed within the overall healthcare environment. The agent can hear the credit card information as the caller reads it out, and it traverses the telephony, network and internal systems unencrypted before reaching the PIN pad.

This exposure means that, despite using POI devices, the environment remains in scope for PCI DSS compliance, presenting a significant security risk, as well as meaning that the merchant has to engage in a complex and expensive PCI auditing process. And there are other complexities. For example, if the organization is recording its calls, then it would need to consider how to ensure that the calls are paused and cardholder data is not being recorded as it is being spoken by the cardholders, otherwise the call recording is also then in scope.

An Eckoh client who recently switched from using POI devices to using Eckoh’s CallGuard solution for phone based payments explains just how much of a challenge dealing with this issue can be.

“All calls were recorded, and the process was to manually pause and resume the recording while accepting cardholder data (CHD) over the phone. During an audit it was determined that some recordings were not paused, resulting in archived or stored CHD. This started a whole new process of auditing recorded calls each day to ensure CHD was removed or scrubbed from our servers and that proper training and coaching sessions were accommodated for the users responsible for the incidents. This was a major risk and after working with a QSA we were able to determine that the average cost of one of those recordings getting breached would cost us $44,000 in communications, additional audits, potential fines or fees, loss of reputation and so on.”

In addition to the security issues that these POI devices present, they also come with significant costs and maintenance issues. Each agent requires their own POI device, which comes at a cost and then requires ongoing maintenance, as well as replacement costs if the device is lost or needs to be replaced for any reason. Additionally, POI devices are not flexible for remote work which is now a new working model after the pandemic, adding further complications. There is also a significant amount of administration required from a PCI compliance perspective. The organization needs to maintain an accurate an up-to-date list of these devices, they must be periodically inspected to look for tampering or unauthorised access, and personnel need to be trained to be aware of suspicious behavior and report tampering or unauthorised substitution of devices.

Our client explains how these costs mount up.

“Every agent that accepted payments over the phone had an encrypted POI device assigned to them. These devices were powered up 24/7 and utilized electricity and data in our environment. These devices required periodic inspections and troubleshooting/replacement when they stopped working. Each occurrence of these situations cost an average of $225 with time, loss of payment collections, and resources required to correct the situation. All of these costs could be eliminated by the Eckoh CallGuard solution.”

Jesus Torres

Senior Account Executive

If you’re looking to tighten internal PCI DSS and compliance measures and step up the game as it relates to your customers’ payments security, check out Eckoh’s site to see how the likes of dozens of Fortune 500 companies utilize Eckoh to completely descope of PCI DSS information and future proof their infrastructures from a potential data breach.

Have any questions?
Get in touch