There’s room for improvement in medical billing for card not present transactions. The lack of security in the healthcare industry with respect to payment processing is evident in nearly every business I’ve interviewed in the last two years. With all the effort put into HIPAA, you’d think they’d be more likely to be PCI Compliant than other industries, but in my experience talking to and interacting with healthcare  companies, I think 50% PCI DSS  (Payment Card Industry Data Security Standards) Compliance would be extremely optimistic.

So what’s got my gander up today? A widespread lack of security by healthcare suppliers with my HSA debit card data. Before giving out my credit card information, I always ask what they are going to do with it.  As a cardholder, I have a right to know. Like many Americans, I have an HSA account and funds for payments are accessible only via a debit card. That means any misuse could wipe out the account.  Under Visa’s Zero Liability policy  consumers are not held responsible for fraudulent charges made with the card or account information, but identity theft is another matter the consumer is left to deal with.

I talked to three different personnel for the story that follows. The last one said the first two didn’t entirely follow normal protocol, which does nothing to spare them from the liabilities associated with identity theft.

This article is about a medical industry merchant storing credit card data in a database and the misunderstanding of potential  liability exposure as a result. Storing card data even for 24 hours poses a huge risk both financially and criminally. In this article we’ll review their processes and solutions to mitigate risk.

First, let’s review the payments process.  Consumers receive invoices in the mail. They can mail a check or pay by Visa or MasterCard by returning a form, or call on the phone. The merchant then uses a multi-step process to collect the information and process it.

PAY INVOICE BY MAIL

This invoice format is quite common for medical billing.

RISK: Merchant collects the CVV code, listed as signature code above, and bills are sent to a their corporate office. Collecting and storing CVV codes is always a bad idea. The mail could be stolen by internal employees familiar with the billing process. Someone could copy or even quickly photo each billing form. It’s doubtful they could prove PCI Compliance and would likely have no safe harbor in the event of a data breach.

SOLUTION: Remove the security code from the form. Have all bills sent to a lockbox. Reduce mail payments by enabling customers to pay their bills online.

PAY INVOICE BY PHONE

The first person to take my payment was covering for someone who was on vacation or otherwise out of the office.

• She took down my invoice number and credit card information on a piece of paper. She entered something into their billing system so there was  a record of my call and payment.
• The paper went into an “in box”. It was Friday.
• The person emptying the “in box” and posting payments would be in Monday to complete the transaction.
• Monday the posting person key entered the transaction into a desktop terminal.
• Tuesday, presumably,  paper was shredded. The paper is held for a day to ensure the payment went through properly so the customer does not need to be called.

RISK:  The paper with full card data was exposed for up to 5 days. Was the ‘in box’ emptied and put in a locked drawer when not being worked on, including breaks? Do cleaning personnel have access to the facility on evenings and weekends?

SOLUTION: Enter the card information directly into our smart virtual terminal. Some flexible options include:

• Entering the card and customer data and instantly charging the account. In this case, you can enter the CVV for extra fraud protection.
• Creating a customer and entering the card information for later billing. Using a process called tokenization, the card data is stored encrypted on PCI Compliant servers, never at the merchant location.  CVV is NEVER stored, not even encrypted, since it’s against card association rules.
• Entering the card and customer information and obtaining an authorization only, for other personnel to charge later.

The seccond person to take my payment on a future date was the actual representative for my account.

• She entered information in the billing system so there was  a record of my call and payment.
• My card data, including CVV,  was entered into a ‘notes’ section of the billing database.
• The customer service representative has no access to see the card data after it is entered.
• An accounting person retrieves the card data for payment in bulk with others within 1 business day.
• The posting person key enters the transaction into a dial-up desktop terminal.
• The next business day, presumably,  the computer notes are deleted.

RISK:  Full card data is exposed on a computer network. It doesn’t matter that access is restricted to certain personnel. This data storage is certainly a violation of FACTA and PCI Compliance standards, and probably HIPAA too. The merchant is open to both criminal and financial penalties in the event of a data breach. Additionally, the merchant would need to securely wipe or destroy every associated hard drive removed from service in the future to eliminate data theft potential.

SOLUTION: Enter the card information directly into our smart virtual terminal, same as above.

What are the financial risks with this data exposure?

• Replacement cost per card compromised, $25.
• Mandatory consumer credit report service for one year, $12/mth per card holder.
• Reimburse all claims from card associations.
• Fines from FACTA, HIPAA, and PCI Compliance violations
• Your business could come to a screeching halt while a forensics team investigates.
• Bad PR could result in loss of business.

What are the criminal risks associated with card data exposure? Felony.

FINAL NOTES: There is some use of an online gateway within the organization, but those details are unknown. I spoke to staff that believes since the payment processing is via a dial up terminal and is not connected to the card data in the database, that there is no risk. That is completely untrue. The company would not only save time by reducing steps, but would tremendously reduce risk by key entering card data directly into a virtual terminal. Moreover, an intelligent VT would provide a boatload of other benefits.

Ignorance is not an excuse. PCI Compliance standards were established nearly a decade ago. A critical first step to compliance and mitigating risk is a solution that supports all your payment processing needs. We offer that solution.

See also related article, How to reduce time and money for outpatient procedure billing.

On a side note, based on the invoice billing form, the merchant is not accepting American Express cards, probably because they don’t want to pay the high fees associated with Amex. If managing costs to improve EBITDA is important, our hosted payment processing platform with intelligent switch is critical.

Do you want to outsource your medical billing? Whether yes or no, read on for important payment options generated from outpatient procedures. If you’re anesthesiology company, lab, hospital, surgeon, MRI company, or consulting doctor, you’re all in the same fix. How do you collect the patient responsibility bills?

Credit and debit cards are the preferred method of payment in the US today, far surpassing checks. Included in this is the increasing use of HSA cards.

Let’s examine a very real payment process used by medical related companies, picking up from the point where the customer receives an invoice in the mail outlining their patient responsibility.

Customer has invoice. Which of these do you offer?

1. Tear off the form and mail in with check or credit card information. Should I ask for the security code on the mail order form? (No).
2. Call to make a payment over the phone.
3. Pay online.

THE MAIL METHOD:  Are staff keypunching the card data into a desktop terminal or a computer terminal?  Your computer can be a virtual terminal simply by logging in to a secure web page. Some think this is more risk with this, however, there is actually less risk.

1. Access is administration controlled and remotely managed on demand. This eliminates risk associated with wrongful use by cleaning personnel, repair crews and unauthorized employees, plus you can instantly remove, restrict, or expand credit card processing access.
2. Instant reports based on trigger alerts you set can be transmitted via email to multiple personnel.

PHONE PAYMENTS

1. Same as for Mail EXCEPT, there is no need to ever enter a transaction on paper. Why do employees write transactions on paper?

• The machine isn’t near them.
• They agree to let customers make multiple payments.
• The person answering the phone doesn’t do the processing.

How does our hosted payment processing solution, CenPOS,  differ?

1. More flexibility to assign payments with deeper information such as the physician involved in the procedure.
2. Real time reports on demand by location, cashier, card type, and many other elements provide quick access to risk insight as well as reconciliation data.
3. Integrated system for billing vendor and internal staff payments so both parties can have real time access to patient payment history.
4. Securely store encrypted card data on PCI compliant servers to process a one time payment and scheduled installment payments of a different amount.

Item one is offered by everyone. Are you mailing to a lockbox or billing office? If you are not using a lockbox and are requesting the 3 digit security code, you’ve elevated your internal fraud risk considerably.

If you outsource, the amount of time your supplier spend on processes directly affects your costs. How is the supplier performing these functions for you now? You’re the customer, you can request whatever you want.

See also, our youtube virtual terminal video demo.

In Virtual Terminal demo #2 we show to Assign a Single Payment to Multiple Accounting Ledger Codes. Ideal for schools and B2B, the merchant can enter the total payment from a check, credit card, debit card, and then break the payment into internal fee codes.

Click for 2 minute demo video  Virtual Terminal Demo Assigning single payment to multiple accounting codes.

The CenPOS hosted payment processing solution works with both retail credit card present and card not present merchant accounts, Checks, and ACH. Ideal for Schools, lawyers, camps and any time you collect payments for more than one revenue line item. Real time financial reports and transaction research are available on demand, including data for multiple years across all payment types. You can easily show trends and compare data elements.

Can I store encrypted credit card data and bill different amounts to a customer?  Yes, and this video demo of our most advanced virtual terminal shows you exactly how. This is a universal PCI Compliant virtual terminal, meaning it’s compatible with all major credit card processors.

Almost any virtual terminal solution can securely store card data for recurring billing, where the card is charged the same amount each time, but none of the most popular virtual terminals offers a secure token solution to charge a variable amount.  Chase Paymentechs’ Orbital ®Gateway, Authorize.net ®, and PC Charge® all offer recurring billing, but do not offer variable amount billing for their standard gateway. If there is a custom option, I’m not aware of it.

Chase Paymentech Orbital, Authorize.net, PC Charge are all gateways. Our solution is a SWITCH, and also  a gateway. What’s the difference? A gateway passes data over the internet to facilitate an electronic transaction. A switch identifies the data,  makes logical decisions, and then routes the data based upon pre-defined parameters. For example, a gateway passes card data from the point of collection to the payment processor. Our switch can identify the card issuing bank, determine what’s needed to qualify the transaction for the lowest cost interchange, and then pass the data needed to meet that requirement. This is just one example of what switch technology can do.

If you could negotiate your credit card processing fees to Zero, how much would you pay a month? Probably a bundle, because over 95% of your fees are non-negotiable. They’re set by the card associations and there’s nothing you can do about it. Right?

Wrong! There are rules within rules about how to qualify for each rate, creating 100’s of rates.  They are fluid and changing, yet merchants have dumb equipment that’s programmed one time to collect just enough information to process a transaction and, if they’re lucky, include basic fraud prevention and commercial card data collection prompts. It’s virtually impossible for a business to control credit card processing costs this way.

The solution is an Intelligent Transaction Engine, allowing each card type to be processed in the least costly manner. It automatically identifies credit vs. debit cards as well as different credit card types, i.e, personal vs commercial cards, and then sends the necessary data to qualify that transaction for the lowest cost possible. It eliminates costly human errors. Since other solutions cannot identify the card-issuing bank to determine what elements are needed to process efficiently, this is truly unique.

Unique benefits for moving and relocation industry:
* How often are your good faith estimates exactly the same as the final bill? When an authorization amount and capture amount are different, it automatically costs more. Our engine resolves this, saving you up to .7% in interchange fee downgrades.

* For commercial accounts, eliminate repetitive steps to charge the same account over and over again. Create billing contracts and enter card data one time only. Add multiple cards and multiple contracts. To charge enter a Token ID, amount, and an invoice number, and the receipt is automatically emailed to your client.

Will this hosted payment processing technology improve your EBITDA?
Does your business accept credit cards over the phone?
Do you get an initial authorization, and then charge later? Is the amount you charge different
than the initial auth?
Do you have accounts that you bill over and over again?
Do you have multiple business units?

If you answered yes or sometimes to any of these questions, the answer is YES. Nearly EVERY business just like yours who saw a demo, also implemented our platform.

3D Merchant Services Moving and Relocation brochure. PDF download 256kb.

When a patient has a large medical bill, do you ever agree to multiple payments? How do you handle it? For some operations, the answer is for the customer to call back each month to phone in their payment. The most frequent reason cited is to avoid risks associated with credit card fraud and identity theft.

This scenario is bad for multiple reasons:

1. The patient may not call back.
2. Your staff might have to make more calls to collect later.
3. Staff has to key enter the transaction each and every time a payment is made.
4. Staff has access to credit card data over and over again. (risk)
5. Staff may be writing down card information to keypunch in later, each time creating a period of risk.

All of these can be avoided with a virtual terminal solution that meets all medical billing needs. Your computer can be a virtual terminal simply by logging in to a secure web page. Some think there is more risk with this, however, there is actually less risk.  Unlike desktop terminals, administration controls and manages access remotely on demand. This eliminates risk associated with wrongful use of hardware by cleaning personnel, repair crews and unauthorized employees, plus you can instantly remove, restrict, or expand credit card processing access.

We put the virtual terminal on steroids so you also receive these benefits:

• Save gobs of time! When a customer agrees to multiple payments, enter the customer data one time only and then set the payment schedule. Eliminate the follow up phone calls and other activities. (Recurring Billing)
• Reduce receivables and predict cashflow- Since payment is on ‘autopilot’, collection is more predictable. Dynamic real-time graphic report shows future receivables.
• Instant alerts based on thresholds you set can be transmitted via email to multiple personnel to reduce risk. For example, every refund over $50 sends an email.
• Create a one time payment for a different amount, then future fixed payments. No other virtual terminal allows you to do this! (Token billing)
• If a customer has multiple bills from different dates, enter the card data one time. Then simply add more ‘contracts’ for billing.
• Add multiple cards for a customer and multiple billing addresses- every possible option you need to collect payments are available.
• Least cost routing – eliminate human error and hardware settings from impacting the cost of accepting credit cards.
  
• Improve workflow. Enter payments from immediate work area.
• Optional integration with patient check-ins- customers can make partial payment at hospital on arrival, and agree to rebill same card for balance. You get swipe rate at hospital and phone rate in the future.
• Pay a bill online- create a payment page quickly and easily with just 3 lines of html code to put on an existing web page. Web page creation available for a fee.

FAQ

Can I keep the same credit card processor? Yes. The Virtual Terminal is compatible with all major processors.

Where is the card data stored? It is encrypted and stored on remote PCI Compliant servers with redundant back-up. Once the card data is entered, you’ll never have access to the card information, other than the last 4 digits, again.

How long will it take to learn? The basic tasks are learned in under 15 minutes. Users of advanced features will probably spend a few hours over the course of a week.

Do you provide phone support? Yes, 24/7. There are also dozens of 15-25 second videos for instant answers for every situation so your customers don’t have to wait. Phone support is included in the service.

How much does it cost? A better question is, how much will you save? Reduced credit card processing fees, reduced staff time, and improved cash flow. All agreements are per quote and may include a per transaction fee and or percentage of transaction fee. We custom quote so your business pays a fee relative to your business size, and not a penny more.

What are the computer requirements? Windows XP and above or any Mac OSX, with high speed internet.  There is no software to install. This is a host-based solution.

Can I see a demo? Yes! Call 954-942-0483.  If you want to know what your credit card processing savings will be, please send two consecutive merchant statements for analysis.

Do you offer credit card processing? They are two distinct agreements and we offer both.

How does this work if we also have a billing company handling our lockbox? The set up is very flexible. You can have one account that all users can see data for ie patient payment history and contract set up or not. You’ll have total control as to which users can see what data and what functions they can perform. You’ll never have to wait for a report again because you’ll have real time access to all transactions- on your schedule, and in a format that works for you.

How can we protect against fraud if we don’t ask for the CVV; don’t we save money by getting the CVV? The security or CVV, CVV2, CID code is not required for MAIL/PHONE payments. CVV never impacts cost. There are many other fraud protections such as address verification. Since CVV cannot be stored electronically, we do not collect it for recurring billing or token billing.

What about risks from computers? No data is stored on your computer. To meet PCI Compliance your individual computers or network will need PCI Scanning.

Following up on last weeks Virtual Terminal checklist, here is the new Paypal vs Authorize.net vs CenPOS virtual terminal comparison chart. It highlights some key differences whereas the last article asks, “which Virtual Terminal features do you need?”.

The chart is hardly exhaustive, but is a good starting point to understand some key differences between the terminals. Nearly all virtual terminals fit the “basic” model. I’ve omitted listing most things that are common to all and instead focus on their differences. The ADVANCED VT has many more features not listed that are not in the others, but again, the idea is to identify what key elements you must have in order to choose the best solution for your business.

Download the PDF Virtual Terminal Comparison.

Read more articles about Virtual terminals.

New Virtual terminal web page supplements the virtual terminal blog articles in the blog. Checklist to help merchants choose the best solution without having to hunt through all the articles. I’ve created a list for you below and on the new web page.

Which Virtual Terminal features do you need?

• Basic sale, void, refund.
• Daily batch reports, transaction look up.
• Least cost routing will identify the lowest cost method to process a transaction and pass all data needed to qualify for it. This is NOT just providing the standard level II data that 99% of other virtual terminals deliver. If you’re not sure, ask. If you have corporate customers, this is HIGHLY RECOMMENDED.
• Recurring billing or installment payments. The customer pays the same amount on a fixed schedule.
• Repeat billing- your customer asks you to keep their card on file for billing purposes, but there is no set schedule or amount. Save TONS of time. After entering data one time for a client, simply enter the token ID and amount you want to charge for subsequent transactions.
• Limited user control. Create administrators and users with broad feature access.
• Maximum user control. Micro manage who can see reports, who can give refunds, set thresholds for instant email alerts by dollar amount of sale or of refund, set criteria to approve a transaction by threshold amount etc.
• Extensive real-time reports including activity by user, time of day (staff planning), facility or region, card type, general ledger item and many more. Dynamically create graphic and downloadable spreadsheet reports.
• Fees deducted from transactions or once per month?
• Do you need more than just name and card information such as assign payments to categories or general ledger codes, account numbers, or invoice numbers?
• Batch upload transaction data to process.
• Multiple bank accounts- different accounts for deposits, credits, etc.
• Integration with other systems- API connectivity.
• Multiple payment channels- a back-end that supports more than just the virtual terminal including but not limited to web payments, ecommerce and retail store.
• Always up to date with the latest parameters for interchange qualification (the wholesale cost of credit card processing).
• Least cost routing will identify the lowest cost method to process a transaction and pass all data needed to qualify for it. This is NOT just providing the standard level II data that 99% of other service providers deliver.
• Compatible with all major payment processors.
• PCI Compliant. No credit data is ever stored at your facility.