Content Dam Diq Online Articles 2017 07 Data Breach 1

A case study on protecting dental office payments

July 5, 2017
Think your dental office is too small for crooks to care? Think again. Here are some cold, hard statistics that should get you thinking and set you into action to protect your practice.

Think your dental office is too small for crooks to care? Think again. Here are some cold, hard statistics that should get you thinking and set you into action to protect your practice.

The state of data breaches
The year 2016 set the record for data breaches. According to the Identity Theft Resource Center's (ITRC) yearly breach list, there were 781 reported breaches in 2015 and 1,093 in 2016, with 2016 representing a whopping 40% increase.(1)

Health-care companies were the biggest target for hacks in 2016, with 493 breaches, a 10.8% increase from 2015. With troves of valuable patient personal and payment data stored on networks, health-care breaches happened at the rate of one per day in 2016, with over 27 million records affected.(2)

It’s not just the big companies that are the targets. Think your dental office is too small for crooks to care? Think again. In March 2015, the Oregon dental services company Advantage Dental announced that a hacker accessed more than 151,000 patient records.(3)

“Advantage compliance manager Jeff Dover told The Bulletin that the hackers leveraged malware to obtain an Advantage employee's user name and password for the company's membership database, which is separate from the company's database for financial and treatment information.”(4)

A common thread with the majority of breaches, including the high-profile Anthem and Target store breaches, is that the crooks found their way into a system through a faulty firewall or by compromising password credentials. Once in the system, they installed malware that scoured the network for clear-text customer information, including credit card information. This information is very lucrative to hackers as it can be resold on the black market for fraudulent purchases.

PCI-validated Point-to-Point Encryption (P2PE) to encrypt credit card payments
Any business that accepts credit card payments must comply with the Payment Card Industry (PCI) Data Security Standards (DSS). In 2011, the PCI Security Standards Council (SSC) introduced guidelines for Point-to-Point Encryption (P2PE) solutions to protect payment card data. Payment providers could certify to the guidelines and then offer customers a PCI-validated P2PE solution to encrypt their credit card payments.

PCI-validated P2PE solutions encrypt cardholder data at the Point of Interaction (POI) in a PCI-approved P2PE payment terminal, and decryption is done outside of the merchant environment in a hardware security module (HSM). PCI P2PE solutions prevent clear-text cardholder data from being present in a system or network where it could be accessible in the event of a data breach.

There are many encryption products on the market that can encrypt credit card data. But only those solutions validated by the PCI SSC can provide the significant benefits of reduced PCI scope, saving businesses both time and money on annual PCI audits. Also, they’re assured that these solutions have been approved by the Council.

P2PE for dental office payments—Bluefin Payment Systems and Curve Dental Case Study
In March 2014, Bluefin Payment Systems became the first company in North America to receive PCI validation for its P2PE solution. The same year, Bluefin also partnered with dental practice management software provider Curve Dental to provide Curve clients integrated payment processing through Curve’s platform, Curve Hero. Recognizing the importance of protecting credit card information, Curve Dental opted to add Bluefin’s PCI-validated P2PE solution to their integrated payments piece.

“Our customers expect their technology partners to act upon the news of massive credit card theft incidents to strengthen current payment processes,” said Curve Dental CMO Andy Jensen. “Incorporating Bluefin's security features into our management software, such as point-to-point encryption, provides an additional level of security to keep credit card information safe.”

Bluefin and Curve Dental just released a case study on Curve Hero’s integrated payments piece backed by PCI-validated P2PE. The case study features an actual implementation by Dr. Josh Berd, founder of The Dentist Group in San Francisco.

The study details the benefits that integrated payment processing has provided The Dentist Group, including the elimination of manual payment reconciliation with their software systems, the increased security provided by the P2PE solution, and the flexibility of the software and payment terminal. This has enabled Dr. Berd to turn his six operatory rooms into their own fully functional office.

Also, because of the integration with Curve, Dr. Berd only had to plug in the payment terminals to his laptops and they were ready to process with P2PE, providing both security and a simple implementation.

The case study is available for download.

Bluefin is hosting a free webinar July 11 at 2 p.m. EST. Find more information and register here.

For the most current practice management headlines, click here.

For the most current dental headlines, click here.

Ruston Miles is the founder and chief innovation officer of Bluefin. He has over 15 years of experience in payment processing, specializing in developing secure payment gateway technologies. Ruston serves as Bluefin’s payment technology evangelist, speaking all over North America on payment trends and technologies, educating the business world on the highest levels of payment security. Ruston is a PCI Professional (PCIP), Certified Payment Professional (CPP), Certified Internet Business Strategist (CIBS), and an active participant with the PCI Security Standards Council.