Making PCI Compliance Human
“While we have the doctors and nurses taking care of [our patients’] health right now, we’re trying to take care of the health of their privacy and their future. By engaging with my peers on Wisegate, I was more informed with a variety of perspectives that helped me frame the problem, enumerate the requirements and the see the possibilities.”
– Scott Schlueter
A Member Spotlight with Scott Schlueter Senior Security Architect, Children’s Healthcare of Atlanta
Compliance standards for companies, and the threats these regulations are trying to combat, are constantly evolving. Navigating compliance is frequently discussed among many of Wisegate’s senior-level IT security professionals, including the changing PCI Data Security Standard.
PCI DSS provides businesses a framework for credit card security payments that all payment processors must adopt. While useful, the compliance standards are difficult to meet and maintain for many industries. Struggles stem from the scale and complexity of requirements, compliance cycles, lack of resources, and lack of insight.
Wisegate member Scott Schlueter, a senior information security architect with Children’s Healthcare of Atlanta, must constantly keep up with new standards and challenges to keep his business compliant.
“One of the challenges is that [PCI DSS] is a little bit of a moving mark,” Schlueter said. “With Version 2.0 there were a little bit more degrees of freedom that IT practitioners were given for how they could interpret compliance. Now the restrictions have been really zeroed in. [With] each revision of PCI compliance there are controls that keep getting tightened, and they are very specific. You don’t have the opportunity to develop once and then be fine. It’s something you would have to keep acquiring to keep a compliant state.”
In Verizon’s 2015 PCI Compliance Report, researchers found four out of five companies are failing at interim PCI DSS assessments. Of those that passed, only 28.6 percent of companies remained fully compliant less than a year after successful validation. Without robust procedures, compliance can be difficult.
Recently, Schlueter engaged with the Wisegate community to address the hurdle of navigating PCI DSS compliance over voice networks. When there is no “one size fits all” answer”, a peer platform provides the variety of choices to empower better decision-making.
As an example, “When you talk to someone on the phone you are having a very human interaction, over a medium that is not fully taken over by digital,” Schlueter said. “When you talk to someone there isn’t any way that you can break down [the conversation] into something that can be firewalled.”
Working with patients and families, many customers crave a human conversation about health and payments. It is difficult, but important, to create a secure connection.
“We’re finding that many of our customers want to be able to speak their payment information,” Schlueter said. “They don’t want to be put into a dial tree. In health care, a lot of what we’re dealing with is that human connection. Trying to find a way to integrate that into our payment process that been specifically challenging and that’s what we’re finding out about voice payments.
“When you’re dealing with submitted [digital] payments, there are a lot of different ways you can transform it and protect the user from submitting it in a means that cannot be intercepted. You can also prevent the agent that might be collecting [the information] from directly accessing it. But when you’re talking with someone, things are largely out in the clear.”
Schlueter explained that there are a few solutions that businesses can pursue, as well as new technology on the horizon. Traditionally, as supported by a Wisegate poll, a company will use network segmentation to achieve industry standards. This places the burden of compliance fully on the organization that owns the equipment.
Another increasingly popular option is to outsource payments altogether.
“With [outsourcing] you say, ‘I don’t want this [effecting] my organization. I’m going to let someone else collect the payments, and we won’t be part of that transaction whatsoever,’” Schlueter said. “For us that was particularly trying. Being a non-profit, we want to make sure we control that relationship [between us and our customers] and not the person who’s taking the potential donation.”
There are new technologies being tried and adopted that will allow businesses to control the conversation but remain compliant. Within the conversation, payments can be intercepted through dial tones that are entered. The agent who is on the line will not be privy to the dial tones, so they’re not exposed to any compliance needs.
“It’s a novel solution that kind of provides a good blend of both without putting the compliance burden on the organization,” Schlueter said.
Of course, what works for one organization may not be best for another. Solutions and options heavily rely on different market segments. This is where a peer community accelerates the innovation cycle by providing access to the wisdom of professionals who have solved the problem in multiple ways.
“It largely depends on who your customers are and what they expect for your organization,” Schlueter said. “If you’re a retail or banking organization, I think it’s largely acceptable, and expected, that [customers are] going to first be interacting with an automated recording or dialing tree. We needed something that would allow us to maintain the relationship contact with the patient or the customer. After all, our business is taking care of their children.
“For other [industries], say you are a much smaller shop and you maybe don’t have as many options available to you from an infrastructure perspective, you may just outsource that altogether. That’s completely fine, that just wasn’t an option available to us. By engaging with my peers on Wisegate, I was more informed with a variety of perspectives that helped me frame the problem, enumerate the requirements and the see the possibilities.”
As Verizon’s report stresses, PCI DSS compliance is part of a comprehensive information security and risk-management strategy. It is important to talk with your organization about the options available and what works best for your clients and customers.
What are your thoughts? Let us know in the comments below, or join the conversation as a Wisegate member.