By: Jeff Lin, Senior Vice President of Product Management, InstaMed
The healthcare industry is preparing for a massive shift in October 2015 that will change crucial workflows and require new technology. No, I’m not talking about the ICD-10 deadline. I’m referring to the deadline to switch to EMV-capable card readers.
As the Senior Vice President of Product Management at a healthcare payment technology company, I am hearing that many providers large and small are wondering what they need to do to be “ready” with this liability shift deadline rapidly approaching. Below, I have listed the essentials to how EMV works and what providers need to do to prepare to avoid liability for counterfeit card transactions.
What is EMV?
The term EMV stands for Europay, MasterCard and Visa. EMV is a global standard for authenticating credit and debit card transactions with integrated circuit cards, or “chip cards” at capable point of sale (POS) terminals. In healthcare, EMV offers protection in the event that a patient tried to use a stolen credit card to make a payment during an office visit for their responsibility, such as a copay, deductible or self-payments.
What are the impacts?
Effective October 1, 2015 healthcare providers who accept payment at the point of service must have a payment card device that reads chip cards through dipping the card into the device, instead of the current standard of swiping a magnetic stripe. EMV offers an additional layer of security for card-present transactions. Here are two ways that EMV protects merchants:
- Chip cards are more difficult to counterfeit than their magnetic-strip predecessors, and counterfeiting makes up the majority of point-of-service fraud in the industry.
- If point-of-service fraud does occur at a terminal that can accept EMV transactions, then the liability for that fraud stays with the issuer, and does not shift to the merchant If point-of-service fraud occurs at a terminal that cannot accept EMV transactions, liability for that fraud shifts to the merchant, or healthcare provider.
Beyond the EMV Deadline
EMV alone does not protect payment data – it merely prevents fraud at the point of service. This type of fraud is extremely low in healthcare. To ensure payment data is protected, merchants must use technology wherever payments are accepted to encrypt the payment data as it is captured at the time of payment and not decrypted until it reaches a secure end point, a process called point-to-point encryption (P2PE). Encryption isolates the payment data to ensure that sensitive data is not leaked or accessed at any point, thus reducing the risk of a breach. As patients demand more ways to pay, an enterprise-level view of secure and encrypted payments is critical for every point that payments are accepted, including over the phone, online and in the back office.
The new EMV fraud liability law going into effect October 2015 will require many healthcare merchants to upgrade their POS devices for this shift. However, with the rapid increase of consumer payment responsibility, you may want to invest in devices that can also capture payments made with NFC (near field technology) technology, including Apple Pay and Android Pay.