Reduced Scope of Healthcare PCI Environment Saving Compliance Costs

Client Profile

  • +$3 billion healthcare system
  • +10 hospitals, +2,500 beds
  • +300 outpatient sites
  • ~25,000 employees


  • Large Healthcare Provider spent significant money and time on remediating PCI compliance, however still unable to obtain certification
  • Many solutions being presented had significant impact on the end user experience and would require long term operational investments
  • Disparate business groups and technologies across various payment methods (e.g. – eCommerce, point of sale, call center)
  • Smaller compliance/ GRC team to manage compliance efforts



  • Evaluated environment and identified areas where PCI scope could be reduced or removed entirely
  • Developed an ROI model showing costs of deploying scope reduction technologies significantly less than traditional remediation approach
  • Client obtained certification in one year after attempting for four
  • Identified multiple technologies and business process changes to standardize payment collection
  • Reduced scope to manageable level for existing team (e.g., didn’t require significant external hiring)



  • Long term cost savings
  • PCI certification provided to acquiring banks
  • Removed all storage of cardholder data across environment significantly reducing risk and impact of a breach


Full-Scope Environment
Reduced-Scope Environment
Applicable PCI Requirements 100% of applicable controls 25-75%  of controls
Est. Cost to Become Compliant ~ $10 – $15M ~ $2 – $5M
Annual QSA Audit Time 4+ months 1-2 months
Annual QSA Audit Cost ~ $150,000 ~ $60,000
Liability for Breach Full Liability Limited Liability
Impact of Breach High Low – Medium
Resources for Program Mgmt. 4 – 5 FTE 1 – 2 FTE