By Dr. Heather Mark, CCEP
Over the course of the last seven weeks, the business world has undergone a seismic shift. Remote work, which had its advocates and detractors over the last two decades, has become a necessity. The technology exists to make this happen, and while it hasn’t been without its obstacles, we’re living a real-time experiment in how connected we can be in isolation. Transitions and adjustments are being made to workflows and business operations to account for this new environment. With all these changes being made so rapidly, it can be easy to lose sight of the fact that our compliance and security obligations have not changed, particularly around the protection of sensitive data (PII, PHI, etc.). That can sound daunting, but there are steps that we can all take in our remote offices to help ensure support the continued security of patient and payment related data.
- Use a secured WiFi network and VPN – a secure WiFi network uses a password and encryption to protect access to the network and the data that travels over the network. WPA2, or WiFi Protected Access 2, is the currently accepted security protocol for wireless networks. VPN will provide a secure connection between your computer and the company’s network.
- Change default passwords on home networks – when setting up your home network, make sure that you change the default passwords set up for routers, access points, and similar devices. These are often set by vendors and are easily guessable (e.g. admin, password, default).
- Make sure devices used for remote work have secure configurations – any devices used for working at home should have personal firewalls installed and operational. Antivirus should be installed and current and all the appropriate security patches should be installed. These applications should be configured in such a way that they cannot be disabled by the user.
- Keep your work and home life separate – make sure that you’re not using personal devices for work activities and vice versa. If you do use a personal device, for example a phone, for work, make sure that you keep a separation between work information and personal activities.
- Maintain vigilance about malicious emails and information security – particularly during these unsettling times, hackers are looking for the easiest way into a network. That means getting people to give them access (by clicking links or opening attachments) instead of having to “break in.” All of the same security and compliance processes and practices that apply in the office must also apply in the remote office.
It’s also important to work with partners that can support secure payments anyway you need to take them – via virtual terminal, IVR or, e-commerce. Restricting access to payment data by using tokenization and token vaults for stored payments, and requiring multi-factor authentication for access to payment applications and data can all help to ensure that we all remain committed to securing payment data, even in non-traditional environments.
By Dr. Heather Mark, CCEP
The complex puzzle of PCI DSS compliance can be made more challenging for merchants when they introduce the wide variety of service providers that they use in order to service their customers. Increasingly, Independent Software Vendors (ISVs) are working to simplifying their merchants’ burdens by introducing integrated payment functionality. In essence, the ISV is presenting a one-stop opportunity for merchants to support their business management objectives – be it through back office support, inventory management or billing – while also enabling payment functionality. In doing so, the ISV may inadvertently become the de facto resource for merchants on all things PCI DSS related. So, what are some things that ISVs can do to help support their merchants in achieving and maintaining PCI DSS compliance.
#1 – Understand your own PCI DSS compliance obligations and status
It isn’t uncommon for an ISV to be new to the payments ecosystem. Even for those companies that are deeply ingrained in the payments chain, the compliance and security obligations facing payments companies can sometimes get confusing. As an ISV, it is important to understand whether your integration of payment functionality renders you a Payment Service Provider, as defined by the PCI SSC. A Payment Service Provider is an entity that stores, processes, or transmits cardholder data on behalf of another entity, or can impact the security of the transaction. If the ISV integrates payments in such a way as to fall into that scope, then the ISV must validate compliance with the PCI DSS. Merchants must use PCI DSS compliant service providers, so it’s important that ISVs are prepared to provide their Attestation of Compliance (AOC) to their merchants.
If the ISV is able to offer payments functionality without falling into the Payment Service Provider scope, then the entity must be able to clearly articulate how they are able to maintain that status. For example, if the ISV has partnered with another PCI-compliant service provider to offer a hosted payment page, and the ISV does not host, nor does it redirect to that page, then it may be possible to remain out of scope. This is dependent on the ISV integration and the current guidance from the PCI SSC and the card brands.
#2 – Implement Industry Best Practice Even if You’re Not in Scope
Even if an ISV is able to maintain a posture that keeps it out of scope for PCI DSS, it is important to maintain industry best practice for data security and privacy. Having good security practice is not just necessary for those companies that are obligated to PCI DSS. Most states have data breach notification laws that offer safe harbor for encryption of sensitive data, as long as the encryption keys are not also exposed. Additionally, states are rapidly moving towards the adoption of privacy laws, most of which have data protection requirements. Maintain compliance with industry standards such as PCI DSS, even in the absence of card scheme requirements, can put an ISV, and by extension their clients, in good stead with respect to existing and forthcoming regulatory requirements.
#3 – Explain the Payment Integration Options that You Offer and their PCI Implications for Your Merchants
For ISVs that are looking to add payments functionality, it’s important to understand how that choices you make about the payment solutions you integrate cascade down to merchants. For instance, if an ISV integrates a hosted payment page the likelihood that the merchant will be able validate their own compliance using the SAQ-A is fairly high. However, if an ISV integrates and offers a redirected page, the merchant is more likely to be required to validate using an SAQ A-EP, which is a much longer questionnaire. Both may be valid choices for a variety of reasons, but ISVs should understand the implications on their merchants
#4 – Clearly Communicate Who Owns What Responsibilities
The interplay between merchants and service providers can be complex, particularly if merchants are able to select services and features a la carte. This can lead to uncertainty as to which entity might own responsibility for various security controls. ISVs can demonstrate partnership with their merchants by providing a “shared responsibility” matrix. The matrix doesn’t need to be very complicated, but it should clearly delineate which PCI responsibilities belong the ISV and which belong to the client. Since all merchants must comply, and any business with a Merchant Identifier (MID) must validation compliance, this documentation can significantly simplify their own process of PCI compliance management.
PCI DSS compliance is a fact of life for any participant in the payment system. Understanding how your decisions as an ISV can impact the compliance standing of your client portfolio can help you make more informed decisions about the solutions that you implement and may simplify the compliance and validation process for your merchants.
Solution enables health systems to meet consumer expectations for mobile payments while complementing EMR functionality.
Nashville, TN, February 27, 2020—Sphere, Powered By TrustCommerce, a leading provider of end-to-end integrated payments and security software, today announced a new collaboration with VisitPay, the leader in patient financial engagement. Together, they have launched a mobile payments solution called Text to Pay, which offers healthcare providers the ability to securely offer and accept patient payments through text messages. This innovative solution complements existing payment channels already in place to give patients an additional, convenient way to pay their healthcare bills.
Offering mobile-enabled tools for patients to manage and self-service their medical expenses is essential for healthcare providers. With the rise of high-deductible health plans and co-pays, patients today are responsible for a greater percentage of their healthcare bills. Further, consumers’ perceptions of their healthcare experience are heavily influenced by the level of transparency and convenience provided by the billing experience. People manage their lives through their mobile devices and healthcare is no different. Consumers expect to manage their healthcare needs anywhere, anytime.
Consumers are already demonstrating their preference for mobile channels. Up to 60 percent of VisitPay platform logins are now made through a mobile device, and rapid adoption of this new Text to Pay solution is expected. “Our patients are looking for mobile payment solutions,” commented Mike Weed, senior vice president of financial operations at INTEGRIS Health. “It is important that healthcare financial leaders meet consumer expectations for a contemporary financial experience.”
To meet this demand, Text to Pay combines Sphere’s leading secure payments platform with VisitPay’s patient-centric expertise in a first of a kind solution to enable health systems to take payments over SMS without exposing any sensitive card or patient information, and utilizing a card token already collected from the patient. Without needing to download another app, consumers can pay single visits or multiple visits at a time, using credit, debit, or ACH. Payments are posted automatically to the corresponding visit in the billing system, ensuring convenience and efficiency for the provider revenue cycle team.
“Through our partnership with Sphere we can help health systems offer convenient and secure payment channels to their patients,” said Kent Ivanoff, chief executive officer of VisitPay. “Mobile access to the VisitPay platform already exceeds traditional desktop usage in some regions of the US. Text to Pay is an important solution for health systems looking to meet consumers where they are, without disrupting the core EMR environment.”
“As the payments ecosystem continues to expand and extend to new frontiers, security has to be first and foremost,” said Anthony Lucatuorto, chief revenue officer of Sphere. “We have deep experience working within EHRs like Epic and are excited to offer this complementary solution that will help our clients by integrating with their existing platform in a secure and compliant way.”
Sphere and VisitPay serve many of the most recognized large, integrated health systems composed of acute facilities, ambulatory service, and every physician specialty. VisitPay’s clients represent a total of $60 billion in annual net patient revenue.
Visit booth #2488 to see the Text to Pay demo during HIMSS Global Health Conference & Exhibition, March 9-13, 2020 in Orlando.
Sphere, powered by TrustCommerce, is a software and financial technology company providing integrated solutions that reduce friction and facilitate better and more secure commercial interactions with customers in specialized verticals markets, primarily healthcare, non-profit, transportation and education. Sphere’s integrated payments technology and security software enable its clients to process payments in a way that is highly secure and compliant, integrated with their core business software, omnichannel, and processor-neutral. Sphere’s partner-centric focused payments solutions serve small, midsize and enterprise level businesses and software companies in the U.S., Canada, and Australia. Follow us on Twitter and LinkedIn. For news and thought leadership, visit the Sphere Blog.
Founded in 2010, VisitPay is the leader in patient financial engagement. The company’s cloud-based platform is used by the nation’s largest and most innovative health systems to deliver transparency, choice and control to patients managing healthcare payments and transactions. Through VisitPay, patients can access a comprehensive accounting of their financial obligations, as well as critical health plan and healthcare information, via a health system-branded portal. VisitPay’s proprietary analytics tailor consistent and fully compliant financing options that meet the unique needs of patients and their families, creating a simplified billing experience that drives both higher payment rates and improved patient satisfaction scores. VisitPay’s investors include Norwest Venture Partners, Flare Capital Partners and Ascension Ventures. For more information about VisitPay, visit www.visitpay.com. Follow us on Twitter and LinkedIn. Visit our Company Blog to access case studies, thought leadership and news.
By Dr. Heather Mark, CCEP
The data economy has become so pervasive in today’s business that it sometimes is necessary to pause and think about where we’d be without the explosion of data that businesses have at their disposal. Cloud software firm, Domo, releases an annual report each year on the astronomical growth of data. Their report, Data Never Sleeps, provides a fascinating example of just how people are using the internet, leaving digital trails to be followed. According to Data Never Sleeps 7.0, more than 511,200 tweets, 18, 100,00 texts, and 188,000,000 emails are sent PER MINUTE. And that doesn’t include our unintentional data creation – the Internet of Things, or our browsing history, or geolocation data. Our world runs on data, which means that as consumers, we need to be able to trust that our data won’t be misused by the companies with which we do business.
A PwC survey conducted in 2017, tells us that consumers are becoming more cynical about how companies handle data. Just 25% of survey respondents believe that companies handle data responsibly and less than 15% believe that the data will be used to improve lives. Further, 87% of those respondents have said that they will take their business elsewhere if they don’t trust the data handling practices of a company.
In Francis Fukuyama’s book, Trust: The Social Virtues and the Creation of Prosperity, he proposed the idea that trust and ethics was central to economic well-being. “If people who have to work together in an enterprise trust one another because they are all operating according to a common set of ethical norms, doing business costs less…” It costs less because we know that our colleagues and our partners will behave in ways that we expect, and that serve the good of the organization. Similarly, as consumers, we are more likely to do business with organizations that we trust.
An essential element of trust is transparency. Again, referencing the PwC survey, 71% of consumers find the privacy policies posted by companies to be difficult to understand. If a consumer believes that an organization is intentionally obfuscating its practices, trust erodes. When trust erodes, consumers say they will take their business elsewhere.
The moral of the story here is that as we move more fully into the data economy, we must also move more fully into being trustworthy stewards of personal data. We do that, by adhering to the letter and the spirit of the data protection laws and establishing strong information practices. Some of those practices include:
- Data Flow and Categorization – It sounds cliché, but you can’t protect what you don’t know you have. So, the first step that is typically suggested is doing a data flow or data mapping. This helps you to determine where the date is coming from, how it’s being used, and who you might be sharing it with. You may find that you’re collecting more data than you need, or that you’re sharing it with vendors that don’t need it.
- Limit Collection of Data – Another old axiom in the data security and privacy business is “don’t collect what you don’t need.” To put it simply, it’s difficult to disclose or inappropriately use data that you don’t have. Once you’ve done a data mapping exercise, you can review this with your team to determine which data is strictly needed as opposed to “nice to have.” Moreover, many of the fair information practices are built on the notion of only collecting the data that you need to complete transaction with the individual.
- Disclosures – Transparency with your constituency about what data you’re collecting and when, and how it’s being used is one of the simplest, but most important, steps that can be taken with respect to privacy. Visitors to your site, and consumers of your product or services, can’t make informed decisions about sharing their data if they don’t understand how that data might be used. Providing clear and concise information about your information practices helps to engender trust and stands you in good stead with legislative privacy regimes.
- Awareness and Training – In today’s economy, most of our businesses and non-profits run on data. Whether we intend to or not, we become dependent on data transmission, data analysis, data storage, and data collection. That means that everyone in our organization is going to encounter personal data at some point. Given that fact, it’s important that your team knows what data is considered sensitive, and how that data is to be treated. An important part of training, that can be easy to overlook, is how to report a potential incident. For example, what should be done if someone has emailed a payment account number?
The dilemma facing businesses today is encapsulated nicely in the January 2019 issue of the Frontier Technology Quarterly:
On one hand, the data economy is radically transforming many economic activities and creating new levels of prosperity. On the other, it presents the possibility of a perilous dystopia … A market economy cannot function without trust, and the data economy is no exception. Trust deficits can unravel the data market and undermine social cohesion, stability and peace.