By Noah Dermer, Security Officer, InstaMed
Twitter: @NoahDermer
At HIMSS19: Visit InstaMed in Orlando at Booth 1987
“Hello, what is your credit card number?” Have you ever found yourself in a situation where you have been asked for your credit card information over the phone? Have you ever wondered where that person was working?
Whether you are paying a healthcare bill or covering an insurance premium, there are several healthcare transactions that may require consumers to verbally give out their credit card to someone unknown to them over the phone. Credit card data and healthcare data continue to be a prime target for hackers, which is why it is important to ensure all points of interaction with cardholder data are secure, including phone calls.
Thankfully there is technology that can both protect this cardholder data while allowing healthcare organizations to offer a great customer experience without your staff hearing credit card numbers.
What Is VoIP?
VoIP is an acronym for Voice over Internet Protocol, or in more common terms, phone service over the Internet. What this means is if you have a reasonable quality Internet connection, you can place and receives calls over your Internet connection instead of relying on physical, copper telephone lines. If you are reading this at your office desk, odds are that the phone on your desk leverages VoIP. VoIP phones allow your IT and Network teams to run an ethernet cable to your desk and have it provide both Internet connectivity for your computer and also telephone services. If that phone on your desk is made by Avaya, Cisco, or ShoreTel chances are that it leverages VoIP. While this integration is great for your IT and Network teams, it can introduce significant PCI challenges articulated by the PCI Council.
PCI and VoIP
In general the PCI Council states that, “PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitive authentication data.” When your call center employees ask consumers for their credit card numbers, your entire VoIP network including the servers, switches, firewalls, and phones are potentially now all part of your cardholder data environment. This can dramatically increase the scope of our cardholder data environment and increase the financial and operational costs of PCI compliance.
Securing Credit Cards for Call Centers
Healthcare organizations can leverage technology to address this challenge. How would this work you might ask? VoIP protection technology sits on the edge of your network and masks cardholder data before it is transmitted throughout your organization’s network. Instead of consumers speaking the credit card number to your employee, they enter the credit card number on the keypad – either physical or virtual (e.g., iPhone). The dial tones created by the keying in of the credit card number are intercepted and then sent back to the call center agent as flat notes via a process known as dual-tone multi frequency (DTMF) masking. Your call center employee is shown the status of the data entry but is never exposed to the actual credit card number. As the agent no longer needs to capture or transcribe the credit card number, the opportunity for both data entry error and credit card theft is greatly mitigated. With this VoIP solution, you can maintain the personal relationship of talking to patients and guarantors over the phone while instilling confidence in consumers that their data is secure. As for the call center agent, VoIP protection eliminates exposure of payment data and dramatically reduces the cardholder data environment and PCI scope.
As an additional benefit, the phone call may be recorded without the risk of the recorded call containing the tones of a consumer entering his or her credit card number on the phone or saying it aloud.
Enterprise Security
It is important for all healthcare organizations to ensure that consumer payments made through any channel, including VoIP, online, and front/back office are secure. With VoIP protection, Point-to-Point Encryption (P2PE) and the InstaMed Secure Token healthcare organizations can protect payments regardless of how a consumer chooses to pay. Are you concerned about your organization’s handling of credit card transitions on your VoIP network? Come talk with us at booth #1987 at HIMSS 2019!
This article was originally published on InstaMed and is republished here with permission.