This is a guest post from Vincent Martino, Chief Product Officer & Co-Founder of VisitPay.
In this Q&A, Vincent Martino shares how VisitPay helps simplify and consolidate the patient experience. He also discusses the value of choosing a technology compatible with Sphere to ensure your organization continues to manage a single, integrated experience.
Why are health systems choosing a platform like VisitPay?
Vincent Martino: Health systems are choosing VisitPay primarily for the increase in patient satisfaction we drive combined with the resultant increase in cash payments. The platform provides patients a consolidated billing process that creates an unparalleled amount of transparency, which in turn creates more loyal and better-paying patients. Our clients Net Promoter Score (NPS) for their billing experience is in the 40’s, which is three times higher than the average across healthcare. Bills are also higher than they have ever been, and providers have a need to deploy more advanced strategies and capabilities to manage this growing and difficult to collect asset. The VisitPay team offers a tremendous amount of consumer finance experience to help guide and advise client-specific strategies, which can be enabled and delivered through the platform.
What teams in the health system are typically driving that work?
Martino: We team up with teams across the entire health system. Of course, the CFO and rev cycle organization are key partners – VisitPay offers a lot of flexibility in terms of how it’s deployed, and many of the financial offer decisions will be driven by these teams. Oftentimes the consumer experience team will also influence or drive some of the configurations. The patient billing experience is complex and also is viewed as an increasingly important part of the overall healthcare experience. Therefore we also partner with the information and technology groups, patient access, the treasury department, and the marketing departments.
What are the implications of this from a payment processing experience?
Martino: It’s important to create cohesive, system-centric experiences for your patients and operational efficiency for your staff. Finding a patient financial experience company that can effectively partner and collaborate with the different teams within your healthcare system is very important – and it’s vital that your partner can drive alignment when you need them to do so.
Why is it good to have a single payment environment?
Martino: Having one integrated payment solution from end to end is a good thing for a health system and for your patients. It provides the most efficiency for your staff in terms of posting, reconciliation, and reporting. And it provides the best experience for patients by providing a single place to save payment method information.
Any industry trends in payments? Any that could influence change?
Martino: Prior to COVID, we were already seeing a trend around contactless payment and “login-less” payment, and the two essentially go together and can be one and the same. And COVID has only accelerated the need for contactless payments. Every consumer today essentially has a “payment device” in the mobile phone they carry with them everywhere they go. VisitPay has deployed multiple novel ways to pay from that device, which are all contactless in nature. One specific payment option we offer is “Text To Pay,” which serves as both a contactless and “password-less” way to pay. VisitPay developed and now offers Text to Pay in partnership with Sphere. This provides the patient with an automated text when a balance is due and provides them a way to pay their bill securely, without needing to log into an application to do so. In general, we are seeing more consumers willing to pay from their mobile device using a variety of payment options – some of our clients have over 60% of their consumers paying via mobile devices.
How do these changing trends impact the people running infrastructure?
Martino: I think the organization should continually be looking to deploy new technologies that provide easier and better ways to pay bills. That said, ideally, newly added technologies shouldn’t create an added process or management burden for the organization that manages the infrastructure. There are vendors in the market that seamlessly combine technologies onto one platform to ensure efficiency for your team. When assessing the market, be sure to ask if all payment technologies are centralized on a common processing, reporting, and reconciliation platform.
To learn more about VisitPay and Sphere solutions, such as Text to Pay, request a demo.
Sphere recently sat down with its own Andrew Immerman, Senior Vice President of Technology to answer questions asked regularly by software vendors when choosing a payments platform with which to integrate. Mr. Immerman leverages over 20 years of experience in the development, deployment, coordination and operation of quality-driven, mission-critical technologies.
Sphere: Why use a gateway when you can connect directly to an acquirer/processor?
Immerman: Premium gateways are optimized to dramatically reduce the costs and risks of electronic payment acceptance. In general, processors are optimized to extend as much functionality as possible to the widest possible user base. To facilitate these objectives, premium gateways offer user-friendly human interfaces and easy to integrate application programming interfaces (APIs). Processors, on the other hand, extend complex, yet highly functional, user interfaces and APIs. As a result, processor interfaces are generally far more costly and time consuming to implement.
Premium gateways offer a wide variety of value adds and flexibility processors generally cannot. For example, gateways can offer fraud prevention and analysis solutions generally beyond those of the processors themselves. Additionally, gateways can offer management and automation for scheduled payments, such as those of a recurring, installment, or deferred nature. As from such functional value adds, gateways almost always natively support seamless transitions from one processor and acquirer to another.
In general, only merchants processing an extreme and sustained volume of transactions, such as 100+ transactions per second (TPS), are advised to directly integrate with a processor. Such merchants essentially build and use their own gateways, though often without the benefit of proven and ever-maturing technologies.
Sphere: Should gateway uptime/availability be a concern when selecting a gateway, or has cloud computing made this a non-issue?
Immerman: Dependability, performance, security, and many other quality attributes should be considered whenever evaluating any technology for use. As part of any dependability evaluation, availability, reliability, resiliency, and controlability should all be considered. Availability describes a system’s functional readiness; reliability describes a system’s functional correctness and consistency; resiliency describes a system’s ability to endure exceptions; and, controlability describes the efficacy and efficiency of system controls for management, maintenance, and administration. These quality attributes are implemented using careful and proven design, development, and deployment lifecycles.
“Cloud”-based technologies generally enjoy greater dependability and performance through service-driven relationships that abstract single points of failure. The configuration of cloud-based technologies and, more so, the services, applications, and other software that run thereon, dictate the potential and realized dependability and performance of such technologies. Put another way, cloud-based technologies reduce some risks; however, poor designs, such as those having single points of failure, are often just as failure-prone as are non-cloud-based technologies. As an analogous example, consider that multi-engine aircraft are often considered safer than singles. In actuality, multi-engine aircraft are generally more challenging to operate and are still susceptible to fuel depletion and contamination, both essentially being single points of failure.
When considering the introduction of any new technology, such as those of a payment gateway, it is generally advisable to obtain historical dependability, performance, and security data, as well as to understand and assess its continuity, resiliency, and resumption considerations.
Sphere: Does using a gateway add time to a transaction, especially if it’s EMV? Can bandwidth/capacity affect transaction times, especially during peak periods?
Immerman: Whereas all payment processing steps do increase round-trip transaction times, premium gateways do so with increases of no more than 10 to 50 milliseconds, including EMV overhead. In many cases, a premium gateway may be able to offer reductions in transaction times through highly tuned, high-throughput integrations with upstream entities. As an example, Sphere round-trip transaction times include overheads generally well under 50 milliseconds and, in total, average less than one second, including all round-trip times with the processor, associations, and issues.
Sphere: Every gateway is PCI validated, what makes Sphere more secure?
Immerman: Payment gateways, like all entities that handle sensitive cardholder information, are expected to maintain ongoing compliance with the PCI Data Security Standard (DSS). That said, not all do. In some cases, organizations predominantly focus on annual PCI DSS revalidation efforts, as opposed to ongoing compliance. Often, the terms “secure,” “compliant,” “validated,” and “certified” are used interchangeably when, in fact, each is distinctly different from one another. For example, being secure and/or being compliant are ongoing states, while being validated and/or being certified are based on assessments of security and compliance at specific points in time. Moreover, most security and/or compliance assessments are sample based, as opposed to being comprehensive. Additionally, no single security standard is truly comprehensive or all encompassing. All this is to say that being PCI “validated” may only be a superficial indication of an organization’s security and/or compliance maturity.
In numerous ways, Sphere distinguishes itself in the community of payment gateways and other service providers. As just a few examples of Sphere’s commitment to exceptional security and compliance:
- Sphere maintains several independent compliance and security organizations that operate in tandem with one another, as well as with mutual accountability;
- Sphere prioritizes and invests in security and compliance as separate activities to ensure that both are achieved;
- Sphere leverages several security frameworks to ensure better coverage (e.g., Sphere maintains compliance with the PCI DSS, as well as the PCI Point-to-Point-Encryption (P2PE) Standard and the HITRUST Common Security Framework (CSF);
- Sphere establishes compliance and security requirements that, in many cases, exceed those of the PCI DSS, PCI P2PE, and/or HITRUST CSF;
- Sphere invests separately in the architecture, the implementation, the administration, and the assessment of security and other sensitive solutions;
- Sphere implements security considerations through the lifecycle of all plans, processes, products, and technologies;
- Sphere offers and encourages ongoing training for all employees; and,
- Sphere maintains a culture where security, privacy, compliance, and risk mitigation in general are championed.
Sphere: What can go wrong with payments and what risk does that introduce to me and my customers?
Immerman: Payment processing involves numerous entities and many complex workflows. Any degradation with any interconnectivity, any degradation with any processing entity, and/or any workflow exception can lead to connectivity failures, processing failures, duplicated or otherwise erroneous financial authorizations, incorrect settlement or funding, etc., not to mention numerous risks relating to security, privacy, and compliance.
Premium payment gateways implement numerous checks, balances, and other controls to minimize the vulnerabilities and risks of processing exceptions. Such controls may include redundant connectivities, client- and server-side availability switching (fail-over and load-balancing), verification cross-checks, integrated and continuous system health and integrity monitoring, and autonomous exception containment, mitigation, recovery, and reporting.
Sphere: Is integrating to Sphere more complicated than using other gateways?
Immerman: Sphere technologies were designed to be inherently easy to integrate. As an example, the TC Link API, a highly dependable and highly flexible application programming interface (API), can easily be integrated with less than a dozen lines of programming code. Additionally, Sphere products are designed and assured to be compatible with all major operating systems and operating environments. For more information, please refer to the TC Link API Developer Guide, which details and demonstrates its integrational simplicity, as well as its vast functionality.
The Sphere Technology team and I are very proud of the products and services we offer. We look forward to addressing any questions or comments our partners may have, and to assist with all integration efforts.
To learn more about the developer resources that Andrew mentioned, visit our integration page or contact us below:
While healthcare providers are properly focused on patient care, it is important not to overlook the overall patient experience. There are many opportunities to make improvements. One practical way to do this is to allow multiple, digital points of payment. Why is this important? Out-of-pocket costs for patients has increased by 230% in the previous 10 years. Coupled with the challenges presented by COVID-19, health systems need to meet patients where they are and accept non-touch payments anytime, anywhere to improve collections.
Adding new ways to pay may seem like a daunting task. With complex systems that must adhere to stringent compliance and security requirements, the time and resources this change will take may seem like a barrier.
But, with the implementation of a centralized, secure payment solution that can integrate with EHR, kiosks, IVR, and other systems, it becomes much less burdensome. In addition to improving the payment experience for patients, resulting in improved collections, it can also provide organizations with valuable insights and centralized reporting and reconciliation.
Realize Revenue Earlier
An important, bottom-line benefit to providing more points of payment is that it can positively affect an organization’s cash flow by realizing revenue earlier in the billing process. There are smart, simple and secure solutions that can help drive business forward.
69% of consumers don’t believe that healthcare is keeping pace with payments innovation.
You can improve this perception by adding payment methods, which can help increase on time payments and provide patients with the flexibility and security they require. Patients are used to paying for goods and services online, on mobile devices, in app and more. They expect the same capabilities when paying for healthcare services.
To learn more about how healthcare organizations can take payments securely, via many channels, please check out our new E-book, “Secure Payments at Every Touchpoint”.
By Dr. Heather Mark, CCEP
Privacy data leaks can cause long term damage to an organization. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately. Here are 5 questions to get you started.
The subject of data privacy and consumer rights has been a hot topic over the last several years. Beginning with the implementation of the General Data Protection Regulation (GDPR) in the EU, continuing with the passage of privacy laws in California, Massachusetts, Nevada, and continuing with the proposal of almost a dozen more state level consumer privacy laws, businesses are have to sit up and take notice. While these laws certainly aim to protect consumers from businesses that might intentionally misuse data, it also means that organizations must be cognizant of the ways that such sensitive data might “leak” into, or out of, their business ecosystems and the potential damage that can be done by such “contamination.”
I use the term toxic data here to describe data that is protected by regulation (Personally Identifiable Information or PII, Financial Information, Protected Health Information, etc). This data carries with it responsibilities and has to be handled appropriately to avoid serious negative consequences. Not to overdo the analogy, but for small businesses particularly, leaks of such data can prove fatal. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately.
Here are five straightforward questions that organizations can ask to start getting a feel for their own practices.
- What data do we collect?
Surprisingly, the answer to this question for many companies is, ”I’m not sure.” If a organization has been in operation for some time (5 years or more), it may be the case that data collection began simply, with a contact or payment form or cookies and web beacons. Some organizations may have relied on third parties to help with forms and websites and may not have a complete list of data that is collected. In other cases, data collection protocols that were purposely set up may not have evolved with the organization’s needs over time. Doing a data inventory (finding out what data you collect and where that data is stored) is a critical component in protecting that toxic data. You can’t protect it if you don’t know that you have it.
- Why do we collect that data?
Once you’ve determined what data is being collected by the organization, the next step is to answer the “why?” This is where the rubber meets the road. If there is no specific business purpose to collecting the data (i.e., it is considered a “nice to have” or no one can really identify its purpose) then the organization should really examine whether it should change their practice. The more toxic data a company stores, the higher the liability exposure if the data is compromised or, in the case of GDPR, CCPA and similar laws, if the data is used inappropriately. The general guideline for data – if the data is not needed, it should not be collected.
- How does data flow through and out of our organization?
This one might seem obvious, but data has a habit of migrating through organizations if it is not carefully constrained. Understanding how different departments interact with the data, helps to develop appropriate controls in departments handle the toxic data. For example, if the “contact” form for your support group also provides information to your product group or your account management group, understanding where that data goes allows the organization to focus its resources on protecting those data flows and data stores. Additionally, it might bring to light data uses that were not widely known in the organization, allowing for a discussion of risk and appropriate data uses. Understanding the data flow allows the organization to use maximize the positive aspects of data use without “infecting” departments that have no need to access or use it.
As important as how the data flows through the organization is how the data flows out of it. What third parties are being used to support the business operation, and how do those organizations access and use data? Do they need the data to fulfill their obligations? Sitting down and going through these relationships can be extremely helpful in identifying critical vendors and helping to manage third party risk.
- How do we dispose of data when it is no longer needed, or a deletion request is received?
The issue of data disposal, “deletion” or “erasure” is certainly complex and worth speaking with counsel about when drafting and implementing policies and practices. For the purposes of this discussion, the question is how an organization can ensure that such toxic data is appropriately removed from the network or systems. CCPA allows for anonymization or de-identification of data. This means that identifying information is removed so that the data element cannot be tied to an individual. Organizations must also balance their regulatory obligations to maintain records against the consumer request. While the regulatory obligation will supercede the deletion request, it is possible for organizations to meet the spirit of a deletion request while maintaining its legal obligation for record keeping. Doing so requires careful planning and execution and a clear understanding of privacy requirements.
- How do we disclose our data privacy practices?
The central tenet of all privacy laws, and the fair information principles on which they are based, is providing the consumer with ability to make a clear, informed decision about how their personal information is collected and used. To further that objective, organizations must disclose clearly and explicitly the ways in which data is collected and used. Further, consumers must have easily identifiable mechanisms to make privacy-related requests of the organization. And the notice must be provided PRIOR to the collection of data. If data is shared with third parties, that, too, must be disclosed. This allows the consumer the ability to really understand why certain data elements are being collected and they are being used before they consent to share it.
Designing, implementing, and maintaining a privacy program is an “all hands on deck” operation. Every department must be bought it to get a comprehensive picture of the organization’s privacy prognosis and create a “treatment plan” for the toxic data. This also assists in obtaining organization-wide buy in on the program.
Personal information is the currency of this age. Consumers will trade privacy for convenience. The Center for Data Innovation found that 58% of Americans are willing to trade their personal data for a greater level personal convenience. That gives organizations a great deal of power, but also a great deal of responsibility. In order to ensure that companies are mindful of that obligation, states are taking the lead in establishing consumer rights with respect to how data is collected and used. Understanding your organizations relationship with potentially toxic data can help keep everyone, business and consumer, safer.
Health systems have been hard hit by the economic impact of COVID-19. Unfortunately, bad debt will rise for providers as patients prioritize their bills, oftentimes putting medical bills last.
Ryne Natzke, Vice President of Strategic Accounts and Healthcare at Sphere joined Vince Martino, Chief Product Officer & Co-Founder at VisitPay to discuss 3 ways to reduce cost and recover patient revenue during a recession.
Want to learn more about Sphere and VisitPay? Read Sphere’s interview with Vince Martino, Chief Product Officer of VisitPay.
By Dr. Heather Mark, CCEP
In the wake of the COVID-19 pandemic, fraudulent activity and scams have been on the rise. As a result, scammers are looking for ways to test their stolen card information. One way they do that is to find portals or e-commerce sites that have payment forms and use those forms to “test” cards. This is done by running hundreds or thousands of small transactions to see if they will be authorized. If these small transactions are authorized, the criminals assume the card is “good.” Meanwhile, the merchant may not know that this has happened until an expensive invoice is received for those “auths.”
In order to combat these types of scams, here are three ways merchants with an internet presence can mitigate their risk proactively:
- Implement CAPTCHA – CAPTCHA is an easy test that users take on web-based forms to prove that they are not a “bot.” These may include simple math questions or identifying pictures from an array. This simple step allows merchants to filter out bad actors and helps to ensure that their payment site is not being misused.
- Use TC CrediGuard – TC CrediGuard is a product offered by Sphere that allows merchants to set parameters for certain transaction patterns. Merchants can set TC CrediGuard to deny transactions based on a set of predetermined criteria. For example, a merchant may set parameters to deny transactions after five attempts from the same IP address within 7 minutes. Or, if the IP address of a bad actor is known, a merchant may block that specific IP address.
- Add a Log-in Screen – Payment forms that reside in front of a log-in page may be more convenient for your customers, patients, or donors, but it can also make it easier for criminals to use that payment screen as a tool for testing card numbers. By adding a log in screen, you create a barrier that may protect your business from becoming a target for these types of schemes.
By implementing these recommendations, merchants can take significant steps towards mitigating the likelihood of a Primary Account Number (PAN) or Card Testing event.
To learn more about secure online payment solutions and fraud reduction tools, please contact a Solutions Consultant at 800.915.1680, option 2 or email@example.com.
This is a guest post by Barnard Crespi, Co-Chief Executive Officer of Datatel. Datatel is integrated with Sphere for secure payment acceptance via Datatel’s IVR solutions.
Learn how IVR Payment Solutions Can Help Healthcare Providers Relieve the Stress on Staffing and Business Operations Caused By the COVID-19 Pandemic
The COVID-19 pandemic has drastically impacted the functioning of healthcare providers across the board. Business leaders have been forced to recalibrate their entire operations, quickly activate business continuity plans, make staff reductions and/or reallocations and implement work-at-home policies where viable. The ability of healthcare providers to respond promptly to their patients’ phone inquiries, prioritize payment calls and maintain PCI compliance and data security as staff works from home can be compromised by the need for on-the-fly re-architecture of business and security processes to respond to rapidly changing developments. For those healthcare providers seeking a solution to what might very well end up becoming a long-term issue, IVR payments can be a vital payment acceptance solution. Implementation of IVR payments can help healthcare providers relieve the stress caused by the need for significant staff changes while enabling them to continue processing patient payments. All this without compromising customer service or PCI compliance.
IVR Payments (Interactive Voice Response) is a technology that allows patients to make payments over the telephone by interacting with an automated system, as opposed to having to provide their payment card information to a live agent. Because it is fully automated, an IVR payment solution can operate 24/7 as opposed to being limited to a business’s normal hours of operation (“normal” being an ever-evolving concept in these uncertain times). And for those healthcare providers that for various reasons still require the involvement of an agent or staff member in the process, IVR can be deployed in such a way as to allow representatives to speak to patients and then transfer the call seamlessly when it’s time to collect and process the caller’s payment information.
Types of IVR Payment Solutions
There are two primary types of IVR payment solutions.
- Customer (Patient) Self-Service – IVR Payment Solutions:
With Customer (Patient) Self-Service IVR payments, your patients call into your organization’s existing phone number and select “Payments” from your front end phone menu (e.g. “To Make A Payment Now, Press 1”. You can set it as 1, 2 or 3 which ever works best for your organization). Your phone system will transfer the call to your DatatelPay-By-Phone line, which is branded and configured to your specifications. Your patients can make a payment using their payment card, in a PCI compliant environment with transactions processed in real-time to your Sphere, Powered by TrustCommerce account. Datatel’s IVR Payment platform is integrated to the Sphere/TrustCommerce gateway so organizations can process payments securely. Sphere’s experience in integrating patient payments for hundreds of leading health systems over the last 15+ years gives comfort to patients and providers that their data will be kept secure.
- Agent Assisted – IVR Payment Solutions
While your representative is speaking with a patient, he or she can transfer your patients to the DatatelPay-By-Phone line when it comes time to collect the patient’s payment information. Your representative can then exit the call, thereby ensuring the confidentiality of your patients’ payment card information. This solution leaves your patients confident that their information is safe and secure and you can rest easy in the knowledge that your phone payment solution support your PCI compliance.
Datatel’s IVR Payment Solutions can help you manage call payment activity efficiently and securely. Among its many advantages are:
- Your patients can securely make phone payments 24/7, outside your regular business hours
- The stress on your staff is reduced and your operations are more efficient and responsive by not having to devote time to handling payment-related calls. This can also work with representatives who are re-deployed to work from home.
- Compliance with industry security requirements (PCI and HIPAA) and keeps you in compliance while you re-deploy your workforce.
- Transactions flow directly into your existing Sphere, Powered by TrustCommerce account without having to make any changes.
- Datatel posts the payment information back to the EHR automatically.
- Datatel IVR solutions can be deployed in a matter of days. Depending on the complexity of the deployments, implementation times can take as little as 5 to 12 business days.
We are hopeful that with the efforts of medical experts and scientists globally, the current COVID-19 pandemic and the impact that it has on all of our lives will begin to subside. Businesses and organizations that are burdened with coping with all of the implications need to make sure that they are not just making decisions that help them navigate the here and now, but that will also serve them well when things eventually return to normal (or whatever the new normal ends up being).
In turbulent times like the ones we are experiencing, when the situation changes throughout the day and reaction time is of the essence, our experienced and dedicated teams of IVR Payment Solutions specialists can have your IVR Payments Solution up and running in a matter of days with no need for any hardware or software for you to buy or install. Contact us, we are here to help.
As government, city and other civic agencies enact restrictions on businesses in an effort to safeguard the public and prevent the spread of germs, exceptions have been granted for what most are calling essential businesses or essential jobs. Examples include grocery stores, medical offices, postal services, childcare or senior care centers, transportation providers and more.
While these businesses and service providers remain open to patrons, it’s important to practice safe social distancing and limit the amount of contact made, including during each payment transaction.
Here are a few ways essential businesses and consumers can limit contact when a transaction takes place:
Contactless Payment Solutions
The spread of germs through cash and card–present transactions is top of mind. Contactless payment methods, such as with payment cards enabled with NFC chips, or smartphones enabled with Apple Pay or Google Pay*, help merchants and customers avoid physical interaction. When choosing a terminal for your business, consider its contactless capabilities. While the adoption of contactless payments has been a trend recently, the popularity of this type of transaction is paramount in a time where the spread of germs is a heightened concern.
No Signature Required
Don’t forget, as of 2018, the card brands (Visa, Discover, MasterCard, American Express) no longer require signatures when making a purchase with a credit card. There’s no need to have pens available for customers to use to sign. This simple step can give everyone peace of mind.
Pay Before You Go
A popular way to reduce contact is to allow customers to prepay for goods and services when possible via a remote payment option such as an online payment, text to pay, or over the phone.
Properly Clean Equipment
Some contact with devices is unavoidable. Most device manufacturers are offering guidance on how to properly clean your equipment. In addition, consumers and employees can help by making sure to clean s payment cards regularly, practice safe social distancing, wiping down checkout counters and surfaces, and washing hands between each transaction.
As businesses start to reopen their doors and social distancing recommendations start to ease, there may still be a demand from cautious consumers to limit any potential interactions. There is no way to know what consumer behaviors will last beyond the current environment. It’s a good idea for businesses to make these features available to consumers who wish to continue to minimize contact with others even after all restrictions are lifted.
*NFC/Contactless is limited to hardware manufacturer device capabilities and/or authorization network EMV certifications.
By Dr. Heather Mark, CCEP
Over the course of the last seven weeks, the business world has undergone a seismic shift. Remote work, which had its advocates and detractors over the last two decades, has become a necessity. The technology exists to make this happen, and while it hasn’t been without its obstacles, we’re living a real-time experiment in how connected we can be in isolation. Transitions and adjustments are being made to workflows and business operations to account for this new environment. With all these changes being made so rapidly, it can be easy to lose sight of the fact that our compliance and security obligations have not changed, particularly around the protection of sensitive data (PII, PHI, etc.). That can sound daunting, but there are steps that we can all take in our remote offices to help ensure support the continued security of patient and payment related data.
- Use a secured WiFi network and VPN – a secure WiFi network uses a password and encryption to protect access to the network and the data that travels over the network. WPA2, or WiFi Protected Access 2, is the currently accepted security protocol for wireless networks. VPN will provide a secure connection between your computer and the company’s network.
- Change default passwords on home networks – when setting up your home network, make sure that you change the default passwords set up for routers, access points, and similar devices. These are often set by vendors and are easily guessable (e.g. admin, password, default).
- Make sure devices used for remote work have secure configurations – any devices used for working at home should have personal firewalls installed and operational. Antivirus should be installed and current and all the appropriate security patches should be installed. These applications should be configured in such a way that they cannot be disabled by the user.
- Keep your work and home life separate – make sure that you’re not using personal devices for work activities and vice versa. If you do use a personal device, for example a phone, for work, make sure that you keep a separation between work information and personal activities.
- Maintain vigilance about malicious emails and information security – particularly during these unsettling times, hackers are looking for the easiest way into a network. That means getting people to give them access (by clicking links or opening attachments) instead of having to “break in.” All of the same security and compliance processes and practices that apply in the office must also apply in the remote office.
It’s also important to work with partners that can support secure payments anyway you need to take them – via virtual terminal, IVR or, e-commerce. Restricting access to payment data by using tokenization and token vaults for stored payments, and requiring multi-factor authentication for access to payment applications and data can all help to ensure that we all remain committed to securing payment data, even in non-traditional environments.
By Dr. Heather Mark, CCEP
The complex puzzle of PCI DSS compliance can be made more challenging for merchants when they introduce the wide variety of service providers that they use in order to service their customers. Increasingly, Independent Software Vendors (ISVs) are working to simplifying their merchants’ burdens by introducing integrated payment functionality. In essence, the ISV is presenting a one-stop opportunity for merchants to support their business management objectives – be it through back office support, inventory management or billing – while also enabling payment functionality. In doing so, the ISV may inadvertently become the de facto resource for merchants on all things PCI DSS related. So, what are some things that ISVs can do to help support their merchants in achieving and maintaining PCI DSS compliance.
#1 – Understand your own PCI DSS compliance obligations and status
It isn’t uncommon for an ISV to be new to the payments ecosystem. Even for those companies that are deeply ingrained in the payments chain, the compliance and security obligations facing payments companies can sometimes get confusing. As an ISV, it is important to understand whether your integration of payment functionality renders you a Payment Service Provider, as defined by the PCI SSC. A Payment Service Provider is an entity that stores, processes, or transmits cardholder data on behalf of another entity, or can impact the security of the transaction. If the ISV integrates payments in such a way as to fall into that scope, then the ISV must validate compliance with the PCI DSS. Merchants must use PCI DSS compliant service providers, so it’s important that ISVs are prepared to provide their Attestation of Compliance (AOC) to their merchants.
If the ISV is able to offer payments functionality without falling into the Payment Service Provider scope, then the entity must be able to clearly articulate how they are able to maintain that status. For example, if the ISV has partnered with another PCI-compliant service provider to offer a hosted payment page, and the ISV does not host, nor does it redirect to that page, then it may be possible to remain out of scope. This is dependent on the ISV integration and the current guidance from the PCI SSC and the card brands.
#2 – Implement Industry Best Practice Even if You’re Not in Scope
Even if an ISV is able to maintain a posture that keeps it out of scope for PCI DSS, it is important to maintain industry best practice for data security and privacy. Having good security practice is not just necessary for those companies that are obligated to PCI DSS. Most states have data breach notification laws that offer safe harbor for encryption of sensitive data, as long as the encryption keys are not also exposed. Additionally, states are rapidly moving towards the adoption of privacy laws, most of which have data protection requirements. Maintain compliance with industry standards such as PCI DSS, even in the absence of card scheme requirements, can put an ISV, and by extension their clients, in good stead with respect to existing and forthcoming regulatory requirements.
#3 – Explain the Payment Integration Options that You Offer and their PCI Implications for Your Merchants
For ISVs that are looking to add payments functionality, it’s important to understand how that choices you make about the payment solutions you integrate cascade down to merchants. For instance, if an ISV integrates a hosted payment page the likelihood that the merchant will be able validate their own compliance using the SAQ-A is fairly high. However, if an ISV integrates and offers a redirected page, the merchant is more likely to be required to validate using an SAQ A-EP, which is a much longer questionnaire. Both may be valid choices for a variety of reasons, but ISVs should understand the implications on their merchants
#4 – Clearly Communicate Who Owns What Responsibilities
The interplay between merchants and service providers can be complex, particularly if merchants are able to select services and features a la carte. This can lead to uncertainty as to which entity might own responsibility for various security controls. ISVs can demonstrate partnership with their merchants by providing a “shared responsibility” matrix. The matrix doesn’t need to be very complicated, but it should clearly delineate which PCI responsibilities belong the ISV and which belong to the client. Since all merchants must comply, and any business with a Merchant Identifier (MID) must validation compliance, this documentation can significantly simplify their own process of PCI compliance management.
PCI DSS compliance is a fact of life for any participant in the payment system. Understanding how your decisions as an ISV can impact the compliance standing of your client portfolio can help you make more informed decisions about the solutions that you implement and may simplify the compliance and validation process for your merchants.
We recently sat down with Curtis Bauer, Sphere Chief Product Officer, to learn about an innovative new product, Hosted Multi-Channel Payment Suite. This solution gives software vendors the power of accepting payments via many channels through one single integration.
Q1: You recently launched a hosted payments product suite for software vendors, what sparked the solution?
Bauer: That’s actually an interesting story. The Sphere Product team is constantly thinking about ways in which we can solve ISV needs in the most impactful, secure, but lightest way possible. One of our most successful ISV solutions is our Premier hosted payment page, which enables ISVs to accept card not present transactions within their SaaS based solution, e-commerce site, mobile, text or even email. In fact, calling it a hosted payment page is probably a bit of an understatement as it somewhat minimizes its robust capabilities. ISVs love the product due to its simple integration, branding and style continuity, as well as PCI scope reduction.
The Product team thought about ways we might be able to leverage all of the benefits that are inherent with our Premier hosted payment page, but allow us to expand it into other user scenarios, including the ability to accept EMV card present transactions. The team came up with an idea to leverage a fairly underutilized technological approach, which the team theorized might allow us to connect a traditional EMV card reader to a PC and process EMV transactions through a browser, without the need to install software on the desktop or leverage any antiquated java scripting to communicate with the EMV device. To test the theory, the Product team worked with our Development team and to make a long story short, the approach was proven to be viable and it ended up being the foundation for expanding our hosted payment page into an entire multi-channel hosted payment product suite.
Q2: What are the main problems this solution solves?
Bauer: ISVs have four critical challenges as it relates to adding payment acceptance to their core product solution:
- How do they enable payments to their solution with the least amount of development effort
- How do they enable payments in a way that does not interrupt the user experience, keeping the same look, feel and flow
- How do they enable payments across multiple acceptance use cases
- Possibly the most important challenge, how do they ensure cardholder data does not reside within the ISV’s platform, minimizing their PCI footprint, while protecting their customers from cardholder data breaches
Our new hosted payment product suite solves for these critical challenges and much more. ISVs face so many challenges with bringing their products to market. As a payment processor and gateway platform, we have a responsibility to ensure payment acceptance doesn’t become one of those challenges, but more importantly, ensure payment acceptance enhances their core product offering to improve the overall value proposition to their customers.
Q3: How can this product suite fit into software vendors business models? Can you share an example?
Bauer: One of my favorite examples is an ISV that creates business management software for a bakery. Let’s say that the bakery sells their products from a retail location. They need the ability to accept card-present EMV transactions from their in-store customers through the ISV’s SaaS-based business management solution. The bakery also has a website where they accept orders for birthday cakes or other items, in which they need the ability to accept credit card transactions online. The bakery also has a cookie of the month club, where subscribers pay a monthly fee to enroll into receiving a dozen of their specialized cookies each month at a discounted price. The bakery needs the ability to accept a credit card, either in person or online, and then setup the card for a monthly recurring subscription billing. Finally, the bakery also takes orders over the phone for delivery. They need the ability to accept credit card information over the phone and process the transaction securely. Our hosted payment product suite not only provides the ability for an ISV to enable accepting payments via all of these scenarios, but it also allows them to do so while ensuring sensitive cardholder data is never stored within their platform, but is instead transmitted, processed and stored within the Sphere secure gateway. In addition, this only requires one simple integration, which allows the ISV to spend more time focusing on enhancing their core product instead of allocating precious development resources to managing their payment acceptance program.
If you would like to learn more about the Hosted Multi-Channel Payment Suite, read the fact sheet. To schedule a demo, click here.
Curtis Bauer, Chief Product Officer, brings more than two decades of payment industry experience with a core focus on Product, Technology and Corporate strategy. He has held Senior Leadership roles at TSYS, TransFirst and Vantiv. He is responsible for identifying and executing on our product strategy to help deliver growth by providing innovative solutions to our customers.
In our new series, Small Business Huddle, the Sphere team shares insights and tips that help small to medium sized businesses stay ahead of the game.
In times like these, small businesses must quickly and efficiently adapt the ways they sell their goods and services. In a broad effort to protect the public, we have seen so many industries affected by government, city and other civic agencies’ restrictions due to the COVID-19. Here are ways small businesses can adapt and accept payments electronically using the Sphere solutions you have available today when cash isn’t an option. These include:
- Virtual Terminal – secure, web-based application that lets you enter in credit card and ACH details manually.
- Hosted payment pages – through a simple integration, this solution directs a customer to a secure payments page to enter their credit card information, which is securely hosted within a Sphere environment. The credit card information never touches your systems.
- Mobile payment acceptance – these solutions let you take payments via your mobile phone.
Anytime, anywhere, Sphere provides secure and compliant payment acceptance.
Many organizations and businesses are already adjusting to these major and sudden shifts in consumer behavior. Here are some great examples:
- Restaurants: From Dining Rooms to Delivery and Curbside Pick-up
Restaurants are having to mobilize their businesses quickly, closing dining rooms and pivoting to delivery and curb side pickup options. Today’s smart terminals offer many features and operate on wireless networks. These terminals can help businesses become more mobile, for example Poynt 5, VitalSelect, and CardFlight.
- Cashless Consumers: Mostly Cashless to Nearly Zero Cash
It’s no secret that cash has historically carried an elevated level of germs and with the world on high alert, consumers have turned to avoiding cash more than ever in favor of electronic, credit card payment methods. Through Sphere Merchant Services, businesses can implement contactless options via terminals that accept Apple Pay, Google Pay, and NFC capabilities. In addition, Sphere’s Virtual Terminal and gateway solutions enable businesses to accept card not present payments over the phone.
- Charity Events and Church Services: Collection Plates to “Donate Now” Buttons
Church services and charitable events across the US have largely been suspended in favor of social distancing. While religious organizations have mostly pivoted to online gatherings, they may struggle to collect donations from a congregation that is used to passing around a collection plate in person.
Through a web-based gateway, churches and other charitable organizations can begin to collect donations online while donor events are largely suspended for the time being.
Sphere’s partner, Qgiv, offers easy to set up and use online donation and fundraising solutions.
- Small Businesses: Store Fronts to Websites and Virtual Services
All non-essential businesses have been closing their doors to in-person foot traffic. Small businesses without a web presence will need to adopt online or mobile payment channels quickly. We are seeing a trend in offering services performed traditionally in-person shift to online technologies. For example, tutoring sessions, yoga classes and music lessons can be offered virtually. In these examples, the provider needs a payment method that can work in this new environment where there is not a card present.
This environment is requiring business to adapt quickly and our team wants to help you pursue business continuity no matter the circumstance. We are offering complementary consultations on all payment solutions. Call today. US Merchants 855.426.6842, Option 2; Canadian Merchants 855.330.7057, Option 2