Shocking lack of payment processing security in healthcare industry

There’s room for improvement in medical billing for card not present transactions. The lack of security in the healthcare industry with respect to payment processing is evident in nearly every business I’ve interviewed in the last two years. With all the effort put into HIPAA, you’d think they’d be more likely to be PCI Compliant than other industries, but in my experience talking to and interacting with healthcare  companies, I think 50% PCI DSS  (Payment Card Industry Data Security Standards) Compliance would be extremely optimistic.

So what’s got my gander up today? A widespread lack of security by healthcare suppliers with my HSA debit card data. Before giving out my credit card information, I always ask what they are going to do with it.  As a cardholder, I have a right to know. Like many Americans, I have an HSA account and funds for payments are accessible only via a debit card. That means any misuse could wipe out the account.  Under Visa’s Zero Liability policy  consumers are not held responsible for fraudulent charges made with the card or account information, but identity theft is another matter the consumer is left to deal with.

I talked to three different personnel for the story that follows. The last one said the first two didn’t entirely follow normal protocol, which does nothing to spare them from the liabilities associated with identity theft.

This article is about a medical industry merchant storing credit card data in a database and the misunderstanding of potential  liability exposure as a result. Storing card data even for 24 hours poses a huge risk both financially and criminally. In this article we’ll review their processes and solutions to mitigate risk.

First, let’s review the payments process.  Consumers receive invoices in the mail. They can mail a check or pay by Visa or MasterCard by returning a form, or call on the phone. The merchant then uses a multi-step process to collect the information and process it.


credit card payment form

This invoice format is quite common for medical billing.

RISK: Merchant collects the CVV code, listed as signature code above, and bills are sent to a their corporate office. Collecting and storing CVV codes is always a bad idea. The mail could be stolen by internal employees familiar with the billing process. Someone could copy or even quickly photo each billing form. It’s doubtful they could prove PCI Compliance and would likely have no safe harbor in the event of a data breach.

SOLUTION: Remove the security code from the form. Have all bills sent to a lockbox. Reduce mail payments by enabling customers to pay their bills online.


The first person to take my payment was covering for someone who was on vacation or otherwise out of the office.

  • She took down my invoice number and credit card information on a piece of paper. She entered something into their billing system so there was  a record of my call and payment.
  • The paper went into an “in box”. It was Friday.
  • The person emptying the “in box” and posting payments would be in Monday to complete the transaction.
  • Monday the posting person key entered the transaction into a desktop terminal.
  • Tuesday, presumably,  paper was shredded. The paper is held for a day to ensure the payment went through properly so the customer does not need to be called.

RISK:  The paper with full card data was exposed for up to 5 days. Was the ‘in box’ emptied and put in a locked drawer when not being worked on, including breaks? Do cleaning personnel have access to the facility on evenings and weekends?

SOLUTION: Enter the card information directly into our smart virtual terminal. Some flexible options include:

  • Entering the card and customer data and instantly charging the account. In this case, you can enter the CVV for extra fraud protection.
  • Creating a customer and entering the card information for later billing. Using a process called tokenization, the card data is stored encrypted on PCI Compliant servers, never at the merchant location.  CVV is NEVER stored, not even encrypted, since it’s against card association rules.
  • Entering the card and customer information and obtaining an authorization only, for other personnel to charge later.

The seccond person to take my payment on a future date was the actual representative for my account.

  • She entered information in the billing system so there was  a record of my call and payment.
  • My card data, including CVV,  was entered into a ‘notes’ section of the billing database.
  • The customer service representative has no access to see the card data after it is entered.
  • An accounting person retrieves the card data for payment in bulk with others within 1 business day.
  • The posting person key enters the transaction into a dial-up desktop terminal.
  • The next business day, presumably,  the computer notes are deleted.

RISK:  Full card data is exposed on a computer network. It doesn’t matter that access is restricted to certain personnel. This data storage is certainly a violation of FACTA and PCI Compliance standards, and probably HIPAA too. The merchant is open to both criminal and financial penalties in the event of a data breach. Additionally, the merchant would need to securely wipe or destroy every associated hard drive removed from service in the future to eliminate data theft potential.

SOLUTION: Enter the card information directly into our smart virtual terminal, same as above.

What are the financial risks with this data exposure?

  • Replacement cost per card compromised, $25.
  • Mandatory consumer credit report service for one year, $12/mth per card holder.
  • Reimburse all claims from card associations.
  • Fines from FACTA, HIPAA, and PCI Compliance violations
  • Your business could come to a screeching halt while a forensics team investigates.
  • Bad PR could result in loss of business.

What are the criminal risks associated with card data exposure? Felony.

FINAL NOTES: There is some use of an online gateway within the organization, but those details are unknown. I spoke to staff that believes since the payment processing is via a dial up terminal and is not connected to the card data in the database, that there is no risk. That is completely untrue. The company would not only save time by reducing steps, but would tremendously reduce risk by key entering card data directly into a virtual terminal. Moreover, an intelligent VT would provide a boatload of other benefits.

Ignorance is not an excuse. PCI Compliance standards were established nearly a decade ago. A critical first step to compliance and mitigating risk is a solution that supports all your payment processing needs. We offer that solution.

See also related article, How to reduce time and money for outpatient procedure billing.

On a side note, based on the invoice billing form, the merchant is not accepting American Express cards, probably because they don’t want to pay the high fees associated with Amex. If managing costs to improve EBITDA is important, our hosted payment processing platform with intelligent switch is critical.

How to reduce time and money for outpatient procedure billing

Do you want to outsource your medical billing? Whether yes or no, read on for important payment options generated from outpatient procedures. If you’re anesthesiology company, lab, hospital, surgeon, MRI company, or consulting doctor, you’re all in the same fix. How do you collect the patient responsibility bills?

Credit and debit cards are the preferred method of payment in the US today, far surpassing checks. Included in this is the increasing use of HSA cards.

Let’s examine a very real payment process used by medical related companies, picking up from the point where the customer receives an invoice in the mail outlining their patient responsibility.

Customer has invoice. Which of these do you offer?

  1. Tear off the form and mail in with check or credit card information. Should I ask for the security code on the mail order form? (No).
  2. Call to make a payment over the phone.
  3. Pay online.

THE MAIL METHOD:  Are staff keypunching the card data into a desktop terminal or a computer terminal?  Your computer can be a virtual terminal simply by logging in to a secure web page. Some think this is more risk with this, however, there is actually less risk.

  1. Access is administration controlled and remotely managed on demand. This eliminates risk associated with wrongful use by cleaning personnel, repair crews and unauthorized employees, plus you can instantly remove, restrict, or expand credit card processing access.
  2. Instant reports based on trigger alerts you set can be transmitted via email to multiple personnel.


  1. Same as for Mail EXCEPT, there is no need to ever enter a transaction on paper. Why do employees write transactions on paper?
  • The machine isn’t near them.
  • They agree to let customers make multiple payments.
  • The person answering the phone doesn’t do the processing.

How does our hosted payment processing solution, CenPOS,  differ?

  1. More flexibility to assign payments with deeper information such as the physician involved in the procedure.
  2. Real time reports on demand by location, cashier, card type, and many other elements provide quick access to risk insight as well as reconciliation data.
  3. Integrated system for billing vendor and internal staff payments so both parties can have real time access to patient payment history.
  4. Securely store encrypted card data on PCI compliant servers to process a one time payment and scheduled installment payments of a different amount.


Item one is offered by everyone. Are you mailing to a lockbox or billing office? If you are not using a lockbox and are requesting the 3 digit security code, you’ve elevated your internal fraud risk considerably.

If you outsource, the amount of time your supplier spend on processes directly affects your costs. How is the supplier performing these functions for you now? You’re the customer, you can request whatever you want.

See also, our youtube virtual terminal video demo.

How can you improve collecting payments for large outpatient bills?

When a patient has a large medical bill, do you ever agree to multiple payments? How do you handle it? For some operations, the answer is for the customer to call back each month to phone in their payment. The most frequent reason cited is to avoid risks associated with credit card fraud and identity theft.

This scenario is bad for multiple reasons:

  1. The patient may not call back.
  2. Your staff might have to make more calls to collect later.
  3. Staff has to key enter the transaction each and every time a payment is made.
  4. Staff has access to credit card data over and over again. (risk)
  5. Staff may be writing down card information to keypunch in later, each time creating a period of risk.

All of these can be avoided with a virtual terminal solution that meets all medical billing needs. Your computer can be a virtual terminal simply by logging in to a secure web page. Some think there is more risk with this, however, there is actually less risk.  Unlike desktop terminals, administration controls and manages access remotely on demand. This eliminates risk associated with wrongful use of hardware by cleaning personnel, repair crews and unauthorized employees, plus you can instantly remove, restrict, or expand credit card processing access.

We put the virtual terminal on steroids so you also receive these benefits:

  • Save gobs of time! When a customer agrees to multiple payments, enter the customer data one time only and then set the payment schedule. Eliminate the follow up phone calls and other activities. (Recurring Billing)
  • Reduce receivables and predict cashflow- Since payment is on ‘autopilot’, collection is more predictable. Dynamic real-time graphic report shows future receivables.
  • Instant alerts based on thresholds you set can be transmitted via email to multiple personnel to reduce risk. For example, every refund over $50 sends an email.
  • Create a one time payment for a different amount, then future fixed payments. No other virtual terminal allows you to do this! (Token billing)
  • If a customer has multiple bills from different dates, enter the card data one time. Then simply add more ‘contracts’ for billing.
  • Add multiple cards for a customer and multiple billing addresses- every possible option you need to collect payments are available.
  • Least cost routingeliminate human error and hardware settings from impacting the cost of accepting credit cards.
  • Improve workflow. Enter payments from immediate work area.
  • Optional integration with patient check-ins- customers can make partial payment at hospital on arrival, and agree to rebill same card for balance. You get swipe rate at hospital and phone rate in the future.
  • Pay a bill online- create a payment page quickly and easily with just 3 lines of html code to put on an existing web page. Web page creation available for a fee.


Can I keep the same credit card processor? Yes. The Virtual Terminal is compatible with all major processors.

Where is the card data stored? It is encrypted and stored on remote PCI Compliant servers with redundant back-up. Once the card data is entered, you’ll never have access to the card information, other than the last 4 digits, again.

How long will it take to learn? The basic tasks are learned in under 15 minutes. Users of advanced features will probably spend a few hours over the course of a week.

Do you provide phone support? Yes, 24/7. There are also dozens of 15-25 second videos for instant answers for every situation so your customers don’t have to wait. Phone support is included in the service.

How much does it cost? A better question is, how much will you save? Reduced credit card processing fees, reduced staff time, and improved cash flow. All agreements are per quote and may include a per transaction fee and or percentage of transaction fee. We custom quote so your business pays a fee relative to your business size, and not a penny more.

What are the computer requirements? Windows XP and above or any Mac OSX, with high speed internet.  There is no software to install. This is a host-based solution.

Can I see a demo? Yes! Call 954-942-0483.  If you want to know what your credit card processing savings will be, please send two consecutive merchant statements for analysis.

Do you offer credit card processing? They are two distinct agreements and we offer both.

How does this work if we also have a billing company handling our lockbox? The set up is very flexible. You can have one account that all users can see data for ie patient payment history and contract set up or not. You’ll have total control as to which users can see what data and what functions they can perform. You’ll never have to wait for a report again because you’ll have real time access to all transactions- on your schedule, and in a format that works for you.

How can we protect against fraud if we don’t ask for the CVV; don’t we save money by getting the CVV? The security or CVV, CVV2, CID code is not required for MAIL/PHONE payments. CVV never impacts cost. There are many other fraud protections such as address verification. Since CVV cannot be stored electronically, we do not collect it for recurring billing or token billing.

What about risks from computers? No data is stored on your computer. To meet PCI Compliance your individual computers or network will need PCI Scanning.

Identity theft at Holy Cross Hospital and securing payments

At Holy Cross Hospital, technicians discovered that Emergency room employee Natashi Orr, 36, had printed basic computerized forms in patient files containing name, address, birth date, diagnosis and other details, officials said. Raushanah Bowleg, 33, Opa-locka, did the same on his job at an Aventura physician office.

At another hospital, the intake process requires all data be entered in the computer directly, and an electronic signature is captured. Yet to accept payment, the cashier walks to another area, out of view from the consumer, and next to a copier.  During this time the card could have been skimmed for the magnetic data or a copy made of the card, both posing considerable risk of identity theft.

While the latter situation has not resulted in a data compromise to my knowledge, the situation is equally dangerous.

3D Merchant Services has a payment processing solution with enhanced features created specifically for hospitals and medical billing companies. Here are a few highlights:

– User level security. Modify, add, and delete users and their permission levels for processing payments for phone/mail and in person. Combined with alerts and other features, prevent internal and external fraud.
– Tokenization. Would you like to re-bill a customer on their initial payment method? Set up recurring billing? Without storing their credit card data? Create a secure token to enable repeat billing. Even if stolen, the tokens are worthless.
– Least cost routing – Attach a signature capture terminal to your PC’s and eliminate human errors that create costly interchange (95% of your payment processing cost) downgrades, plus dynamically determines least cost method to process.

– Reporting. The number one reason CFO’s cite as the reason for implementing immediately. From downloadable financial data to dynamically created graphic reports that quickly show risk mitigation and treasury reports by organization or location, solution delivers what you want, when you want it.
There is no other technology on the market positively impacting compliance, costs, and fraud like this, which is why 98% of organizations that see a demo implement it.

Our solution can be integrated with traditional medical billing and intake systems. The technology platform sits in front of the existing processor.

See also related articles  virtual terminal for medical billing solutions providers and Red Flags Rule for Identity Theft Prevention Programs.

payment processing software for medical billing companies

Do you have banks of credit card terminals provided to you by your clients? How are you distinguishing your company in the marketplace today? What if you could tell your clients that you don’t need or want their machine because there is a more SECURE solution to protect their PATIENT information?

The solution is not software, but rather a hosted “cloud” technology platform that never goes out of date, is always PCI DSS compliant, and is compatible with all the major payment processors. Virtually any payment other than cash is possible with a hosted solution, so as the industry changes, you’ll be on the forefront of various payment type acceptance, plus get funds into your client hands faster with more advanced reporting than has ever been available.
4 critical benefits you can offer your medical clients:

1. Real time treasury reports- the number one reason business site wanting our cloud-based payment processing technology.
– Dynamic reports and Graphics can show location, entire country operation treasury reports, and dozens of others. In just minutes CFO’s can see their business operations from many perspectives.
– Review collected funds in real-time, on demand, from any location. Check or credit card.
– Export data for other systems on demand.

2. Payment Card Industry Data Security Standards Compliance. Most have no idea what PCI DSS is, yet the merchant account holder is responsible and liable in the event of a data breach. Educating your clients and helping them reduce risk is a competitive advantage.

3. Eliminate terminals- no need to replace hardware due to being outdated.

4. Guaranteed best interchange qualification- whatever their price plan, this system will ensure every transaction processes at the lowest rate possible via patented technology. Human and equipment errors are eliminated. Merchants can keep their existing processor- or change- we’re neutral.

Medical Business Payment Problems:
– Time gap from services rendered to cash in bank.

– Patients paying a co-pay on the visit, then after getting paid by the insurance company, the patient ends up having a balance due.

– Offering option to make multiple payments special circumstances.

We offer two distinct solutions for MEDICAL BILLING PROVIDERS to help solve these problems:


This solution can be implemented immediately and is fully compatible with existing merchant accounts. Your clients want you to use this because they like the graphical reports and instant access to data on demand.

You can resell the solution. This is an up-sell service your clients really want once they see it.

2. On location equipment PLUS VIRTUAL TERMINAL
Hardware at business office and Virtual Terminal at billing provider (you).  The sales for both retail card present and subsequent sales, card not present, will appear in the Virtual Terminal and all reports.

Access a secure payment processing platform and create a TOKEN to enable rebilling the patient or to set up recurring billing. Card data is never stored at the merchant location and the token links only to remotely hosted encrypted data. To re-bill, the merchant enters the patient name, transaction amount, and the TOKEN ID.

Patients agree to have their card charged, usually up to a specified amount, at the time of the original transaction. Merchants can print a receipt, or have an email automatically sent with the receipt.


  • Improve cash flow.
  • Reduce or eliminate collections.
  • Simplify the billing process- reduce workload.
  • PCI Compliant- secure solution eliminates exposed card data.
  • Reduce opportunities for internal fraud by eliminating receiving card data within mailed billing responses.
  • Managed payment processing costs- eliminates costly human errors that result in interchange qualification downgrades.


  • Optional Signature Capture terminal at the medical business location stores patient opt-in agreement electronically indefinitely.
  • Access secure web page from any computer.
  • User control for all functions and reporting. You decide who can perform what type of transaction and who can access reporting.
  • Optional industry template to capture insurance policy number, account number etc. Export reports on demand.
  • Real- time cash flow. Enables management to see multiple locations at a glance.
  • Multiple merchant accounts- Use the same system for multiple doctors within a location.
  • No more banks of terminal or dedicated phone lines- login to each merchant account to process a transaction.
  • Minimal set- up. No major upfront investment.