Reduced Scope of Healthcare PCI Environment Saving Compliance Costs
Client Profile
- +$3 billion healthcare system
- +10 hospitals, +2,500 beds
- +300 outpatient sites
- ~25,000 employees
CHALLENGE
- Large Healthcare Provider spent significant money and time on remediating PCI compliance, however still unable to obtain certification
- Many solutions being presented had significant impact on the end user experience and would require long term operational investments
- Disparate business groups and technologies across various payment methods (e.g. – eCommerce, point of sale, call center)
- Smaller compliance/ GRC team to manage compliance efforts
SOLUTION
- Evaluated environment and identified areas where PCI scope could be reduced or removed entirely
- Developed an ROI model showing costs of deploying scope reduction technologies significantly less than traditional remediation approach
- Client obtained certification in one year after attempting for four
- Identified multiple technologies and business process changes to standardize payment collection
- Reduced scope to manageable level for existing team (e.g., didn’t require significant external hiring)
BENEFIT
- Long term cost savings
- PCI certification provided to acquiring banks
- Removed all storage of cardholder data across environment significantly reducing risk and impact of a breach
Description |
Full-Scope Environment |
Reduced-Scope Environment |
| Applicable PCI Requirements | 100% of applicable controls | 25-75% of controls |
| Est. Cost to Become Compliant | ~ $10 – $15M | ~ $2 – $5M |
| Annual QSA Audit Time | 4+ months | 1-2 months |
| Annual QSA Audit Cost | ~ $150,000 | ~ $60,000 |
| Liability for Breach | Full Liability | Limited Liability |
| Impact of Breach | High | Low – Medium |
| Resources for Program Mgmt. | 4 – 5 FTE | 1 – 2 FTE |