Practice management payment security

Practice Management Payment Security Tips for Business Protection

Does your eye care business comply with payment security standards and use compliant payment processing solutions for credit and debit card transactions? Is your payment solution using point-to-point encryption, PCI compliance, tokenization, and EMV technology?

More than three-quarters of small- and medium-sized businesses (SMBs) don’t think they’re at any payment security risk, yet an alarming majority of data breaches target small businesses, according to research conducted by Worldpay® Integrated Payments,. Nearly half (48%) of consumers surveyed have experienced some form of card fraud.

The Nilson Report says fraud is a persistent problem. In 2017, 38.6% ($9.37 billion) of gross worldwide credit and debit card fraud losses occurred inside the United States.

How do these payment security terms impact your optometry and ophthalmology business? Let’s take a closer look at the practice management payment security systems you should have in place to protect your eye care business from payment security threats.

What is PCI-DSS Compliance?

Payment Card Industry Data Security Standard (PCI-DSS) is a set of industry-wide security requirements developed by major credit and debit card brands, such as Visa®, MasterCard®, Discover®, American Express®, and others. PCI helps protect the safety of data and ensures all businesses that process, store, and/or transmit card information maintain a secure environment.

If you accept or process credit and debit card payments, you must comply with the 12 PCI Data Security Standards set by the PCI Security Standards Council®. PCI standards cover technical and operational system requirements, and vary based on the size and processing methods of your eye care practice. Regardless of the practice size, you must be compliant at all times.

If you don’t comply with PCI security standards, this may lead to data breaches that result in fines, fees, and lost business. You must also ensure that your system network and devices that process, store, or transmit cardholder data are in full compliance.

PCI and HIPAA Compliant Pro Tips

Assess your PCI-DSS compliance and security of your cardholder data and complete the PCI Security Standards Council Self-Assessment Questionnaire (SAQ). The SAQ includes two components: a set of detailed questions about your business and an Attestation of Compliance that certifies you completed the SAQ and you meet the PCI council guidelines.

  • Securely store written credit or debit card numbers under lock and key from prying eyes.
  • Monitor your payment processing hardware and safely secure it when not in use.
  • Choose a payment processor and payment solutions provider that offers PCI compliance assistance.
  • Make sure the point-of-sale (POS) system/terminal you use to process payments meets the Payment Applications Data Security Standards (PA-DSS) enforced by the PCI Council.
  • Never store PHI or medical procedure information in the invoice line items or comments section of payment transactions.
  • If you are using a gift card processing service with your payment processing vendor, check with the vendor if you need to enter into a Business Associate Agreement (BAA). Although HIPAA doesn’t require financial institutions or merchant processing services who process credit, debit, or other payment card transactions to enter into a BAA with a covered entity (healthcare provider), you may need to obtain a valid BAA if you use other services.

What is Tokenization?

Tokenization is similar to chip technology for in-person transactions. Tokenization helps reduce fraud and risk from data breaches, and it fosters trust with your customers.

Tokenization “substitutes a string of random numbers—known as a token—for private data like account numbers.” With tokenization, if a point-of-sale (POS) system, mobile device, mobile application, or network connection is compromised, payment card numbers are safe since they were not exposed and stored in highly secure token vaults.

While tokenization can’t protect your business from a data breach, as that requires your practice to adhere to HIPAA compliance and perform ongoing security risk assessments, tokenization makes accepting credit and debit card payments easier and more secure for businesses. Ask your payment processing provider if you are optimizing tokenization services to protect your eye care business.

What is Encryption and Tokenization

Graphic Source (reprinted with permission): Worldpay

Related: The HIPAA Risk Assessment Checklist for Eye Care Professionals

Related: HIPAA Compliance Guide for Eye Care Professionals

What is EMV Chip Card Processing?

EMV chip card processing is a standard based on smart card technology that helps protect your business from fraudulent use of payment card at your point of sale. EMV also protects customer data and reduces counterfeit fraud in-store. EMV stands for “EuroPay®, MasterCard® and Visa®,” which are the card networks who initiate the standards.

According to 2016 research conducted by Worldpay and Socratic Technologies, 76% of consumers believe that EMV cards are more secure and 46% believe they are more convenient compared to traditional credit and debit cards. Counterfeit card fraud continues to decline with more businesses using EMV cards and EMV-enabled POS terminals.

EMV card processing survey

Graphic Source (reprinted with permission: Worldpay

Top 7 EMV Payment Security Questions and Answers

1. How do EMV chip cards fight fraud?

By using microchip technology, chip cards generate a one-time code for every credit and debit card payment. EMV makes it nearly impossible to create counterfeit cards for in-store transactions.

2. What are the main benefits of EMV-compliant devices?

  • Reduces the risk of counterfeit card fraud through authentication of dynamic data generated by chip cards, smartphones, and other EMV-compliant devices.
  • Helps build customer trust with a more secure and seamless transaction.
  • Limits your fraud and chargeback risk.
  • Gives you the ability to accept the payment technologies as well as international cards that are already EMV-enabled.

3. Why should you use an EMV-enabled device?

Since October 2015, credit card counterfeit fraud liability has shifted to businesses that have not invested in EMV chip technology. “The merchant may be liable for any counterfeit fraud that occurs as a result of the transaction,” reports Worldpay. This makes optometry practices which are not using EMV more likely to be held financially liable for fraudulent transactions.

EMV-enabled device technology

Graphic Source (reprinted with permission): Worldpay

4. Are chip cards safer than a magnetic stripe (or magstripe)?

Magnetic stripes on the back of credit and debit cards make it easier for criminals to copy cardholder data using “skimming” technology. Because EMV chips encrypt card data, it’s more difficult for criminals to steal data from the physical card and make counterfeit cards.

So businesses can continue processing transactions from magnetic stripe cards that are still on the market, chip-enabled terminals will continue to include magnetic stripe readers.

5. Why is EMV compliance important in the U.S.?

The U.S. is one of the last major countries around the world to adopt EMV, which has led to more credit and debit card fraud occurring in the U.S.

6. Will EMV compliance always protect against stolen cards?

Not always. EMV cards come in two formats: “chip + PIN” and “chip + signature.” If someone steals the EMV card, and the owner of the card has not deactivated the account with the issuing bank, the card can still be used with a forged signature.

It is always your responsibility to protect your business from security threats by paying close attention to spotting fraudulent activity.

7. Will you be able to accept new payment technologies with EMV?

Most new payment acceptance devices support EMV cards, as well as process Near Field Communication (NFC) mobile transactions, such as Apple Pay™ and Android Pay™. Check with your payment solutions partner if you need to upgrade your credit card terminal or POS system.

Integrate Compliant Payment Processing with Your Practice Management Software

Using a payment processing solution that includes encryption, PCI compliance assistance, tokenization, and EMV chip processing is the best way to stay ahead of payment security threats and to streamline your credit and debit card transactions.

Worldpay Integrated Payments, an industry-leading global payment processing provider, integrates with MaximEyes practice management software and the online bill pay module in advanced patient portal tools. Integrated payment processing solutions help optometry and ophthalmology practices become more efficient, more secure, and more successful.

Contact us for more information about MaximEyes EHR and practice management solutions. We’ll help you create a plan of action and determine your potential return on investment.

Are you a current MaximEyes customer? Click here to request more information about our Worldpay payment processing and online bill pay integration.

MaximEyes EHR and PMS

This blog is meant as an educational resource and does NOT constitute legal HIPAA or PCI-DSS compliance advice. Eye care providers are responsible for taking the necessary steps needed to protect the confidentiality, integrity, and availability of protected health information (PHI) and complying with payment processing security standards and HIPAA security and privacy rules.