Last month, I wrote about InstaMed’s successful one-year health check for our PCI-Validated P2PE v2.0 solution. Achieving PCI Validation for P2PE is a rigorous process that proves that InstaMed’s products meet the high standards of PCI for encrypted payments. The fact that a solution can meet these standards is impressive and something to be proud of. However, meeting standards – even the highest standards – isn’t always enough. How can we go above and beyond to ensure we are creating the most secure payments experience in healthcare?
I think about it this way: I recall students in high school who had really packed schedules turning to CliffsNotes for help understanding a book. It might have been a great tool to give them all the information they needed to be able to write a paper for a passing grade. However, I preferred to study the whole book. It’s the same for payment security; you can excel at the most important requirements and feel good about the security of your systems, but without a comprehensive, end-to-end solution, you could be skimping on smaller details that offer you extra protection and functionality. That’s why it’s important for healthcare organizations to think about EMV and Apple Pay when selecting devices for their point-of-sale (PoS) payments.
EMV…Not as easy as 1, 2, 3
P2PE is the best defense against theft of credit card data, but it does not address card-present fraud. EMV (Europay, Mastercard and Visa) is the global standard for authenticating chip-based debit and credit card transactions and is very effective in preventing card-present fraud. You’ve probably seen PoS payment devices that are EMV-enabled, but have you noticed that they’re often accompanied by a sign that says “No chip. Please swipe.”?
The reality is having a payment device that supports chip cards is not enough to actually process these transactions. The merchant processing solution behind the device must be able to support EMV as well. To do so, a vendor has to become EMV-certified with all major card brands, every processor they work with and every device they offer. This is a time-consuming and expensive process, and many vendors are either held up by roadblocks or just put it off entirely.
Without support for EMV, your payment channels at the PoS are only partially secure. And while you could argue that theft of payment card data (protected with P2PE) is a much greater risk in healthcare than card-present fraud (prevented with EMV), is that really a justification for not making sure the cards themselves aren’t fraudulent?
An Apple a Day Might Be Required Some Day
Do you remember that kid on the playground who tried to convince everyone to play four square at recess because he wasn’t very good at basketball? That’s what I think of when I see payment vendors talking about low adoption of Apple Pay.
Apple Pay is a mobile payment service that leverages near field communication (NFC) to let users make payments using their iPhone or Apple Watch. Since its introduction in 2014, Apple Pay has grown in popularity among consumers in the U.S. and internationally. In fact, when Apple Pay expanded its offering to international markets in 2016, payment volume increased by 450%.
Instead of embracing new technology like Apple Pay, some payment vendors try to brush it off as a fad so they don’t have to go through the effort of including it as a new payment channel. The reality is that Apple Pay usage is growing, and with the increasing popularity of integrated health applications and wearable tech, it is likely that Apple Pay will have a significant role in healthcare payments. In fact, it could become mandatory. As I mentioned, the use of Apple Pay, and other contactless payment options, is popular in international markets – especially Europe. So much so, that Mastercard has issued a mandate that says European retailers must ensure all of their PoS devices are contactless-enabled by 2020. Considering Europe led the way with making chip cards mainstream, it seems likely that this mandate is the first step towards widespread use of Apple Pay in the U.S.
Regardless of what Mastercard or Visa might require, you’re going to want to offer mobile payment options, and here’s why: I visited my cousin on her college campus this month. I also visited her older sister who had just graduated from college and is now working in Chicago. Both my cousins and their friends are attached to their phones. They check Instagram; they check Snapchat; they text; but they don’t often check their postal mail. So, when they show up to a doctor’s office or hospital, how do you think they’re going to want to pay? Make sure you support Apple Pay at your PoS.
Want to learn more about security and compliance for healthcare payments? Check out my webinar, Security and Compliance 101: A Crash Course in Keeping Your Data Secure.