In the first edition of our Security Corner, I explained some key terms and acronyms that frequently appear in discussions about healthcare payment security. I also had the opportunity to elaborate on those explanations at the InstaMed 2016 User Conference earlier this month. But those terms, while important, do not begin to cover the span of the payment security industry. Plus, new terms are popping into our vocabulary on a regular basis, as the payment industry continues to advance and evolve (just like you’re evolving more and more into a security expert with each new edition of the Security Corner!). So, this month it’s time to introduce some new terms associated with advanced payment technologies — a.k.a. Payments 2.0.
Companies like Amazon and Uber have set the bar for convenient online payments. Consumers expect a simple experience that does not require them to re-enter their credit card information every time they pay online. In healthcare, as patient responsibility continues to rise and the industry shifts towards a consumer-centric model, the ability to save payment information online in a digital wallet to pay for healthcare bills is becoming a must-have.
However, digital wallets directly storing credit card numbers result in significantly expanded PCI-DSS burdens. This includes regularly cycling the encryption keys used to encrypt credit card numbers. Instead, healthcare organizations should use tokenization as a safer and easier alternative.
Tokenization is a way to represent one item without directly having it. In many ways, tokenization is not a new payment technology, but has been around for a very long time. Tokens can be found at casinos in the form of playing chips that represent various denominations of money. If you use public transportation, chances are you carry a token with you every day, as your train or bus pass represents the money you’ve paid to use the service.
With online and electronic payments, the concept is very similar. Instead of storing the consumer’s cardholder data, you let InstaMed store that data and issue you a token to represent the credit card.
Last month, the InstaMed Innovation Lab blog talked about how providers can use tokenization to deliver consumer-friendly payment options that ensure providers get paid (such as payment plans and digital wallets). But I want to talk about the security benefits of tokenization. In healthcare, when a payment card enters a secure payment application with tokenization, the card information gets converted to a token that is associated with your organization only. This does not necessarily prevent data theft, but it does prevent someone from using the stolen token to pay for something else. If someone steals a token during a healthcare payment transaction, they cannot take that token to Best Buy and purchase a big screen TV to watch the NBA playoffs. The token has no value outside of the payment transaction it was being used for because it is exclusively associated with a healthcare provider’s merchant ID.
Since its introduction in October 2014, Apple Pay has grown in popularity with consumers. It also revolutionized mobile payments and is the main reason behind a forecast of $110 billion in mobile payments transactions in 2018 (Bloomberg). Both Apple Pay and Android Pay are available for healthcare payments (in fact, InstaMed was the first to bring Apple Pay to healthcare). Plus, with the growing popularity of integrated health applications and wearable tech, it is likely that Apple Pay will continue to be relevant to healthcare payments. Therefore, it’s important to understand how it works.
Apple Pay allows consumers to use their mobile devices to make payments instead of reaching for their credit card. Apple Pay leverages three technologies to support these payments:
Near Field Communication (NFC)
Near field communication lets two devices communicate when each device is close to each other, within inches. In the case of Apple Pay, a consumer would bring her phone within inches of the NFC-equipped payment terminal.
“The Secure Element”
Within the consumer’s iPhone, there is a Secure Element which is a separate, secure chip dedicated to security. When consumers inputs their credit card into their iPhone, the card network (Visa, MasterCard, American Express, etc.,) sends a token to Apple which is then stored on the phone in the “secure element.” This secure chip is also the only element within the device that can produce the token.
Apple uses a Touch ID to authenticate point-of-sale and in-app Apple Pay purchases. Users touch their fingerprints to their iPhone in order to verify their identity and then send over the token to the NFC terminal to process the payments.
In many cases, new technology can introduce new security risks. In the cases above, you can both improve the consumer experience and decrease the burdens of PCI Compliance!