Is it safe for my Private Practice to store credit card data?

Guest Article with Tom Cooley of Go CardConnect.

We entrust everyone from Apple, Google, Amazon, Uber, Netflix, Utility Companies and more with your sensitive credit card information every day. With so much concern over data breaches, why do we still continue to trust these entities with our card data? What security features are in place to keep card data safe? What level of security protects from fraud and date breaches?

These are all important questions as we continue to move towards the subscription economy and continue to move payments into the background, or a “feature”, of some other application running billing, scheduling applications, customer relationship management solutions or integrated into some other workflow or automation. Ultimately driving payments into an automated process where funds are collected on an agreed schedule.

This concept should be no different within the Physical Therapy community. When billing insurance, there is often a final balance that will be due well after the final visit. Chasing those funds are costly. When selling packages, or collecting a large outstanding balance, a scheduled payment plan helps both the patient and provider. When seeing patients on a recurring basis, securely storing credit card information can streamline operations and enable front desk staff to genuinely engage with each patient, rather than simply transact. As Jerry Durham says, “Putting patients First”.

How can a Physical Therapy practice securely store credit card information, while remaining compliant?

First, storing payment information on a piece of paper or folder in a locked safe, or a digital version on a file in your computer is not only a violation of the PCI-DSS (Payment Card Industry – Data Security Systems), but is looked upon badly by your patient population. Consumers are more savvy these days, and are acutely aware that the physical storage of live credit card data is frowned upon.

Introducing P2PE

Many systems exist for Medical Providers to easily and securely store credit card data. As outlined by PCI-DSS a system that uses “Point to Point Encryption(P2PE) + “Tokenization” will significantly increase the security of your payments, making them virtually untouchable. In fact, employing this level of security will actually remove your practice from the Scope of PCI compliance.

The way this would work in a Physical Therapy practice, the card would initially be swiped or dipped into a P2PE certified device, the card data is instantly encrypted at the device level (Mag-swipe, Chip Reader, KeyPad, Online BillPay). What’s important to note is that sensitive credit card data is never visible to anyone.

Once the encrypted card data is sent for authorization, it is then converted and returned to the practice as a “Token” which is simply a random set of numbers that link that credit card, with that merchant and that token decryption. Fraud in the P2PE transaction environment are virtually non-existent. Utilizing P2PE renders the card data useless from the moment it enters a merchant’s system all the way through the transaction cycle. This means it’s of no value to anyone without the proper key to decrypt it.

Beyond security, P2PE is practical!

Payment processors that have invested their resources and pioneered new secure payment solutions were focused on serving the recurring payment demographic. This means in addition to traditional payment acceptance models like credit card terminals, mag-swipe readers with a virtual terminal or mobile application, Physical therapists can now offer the following payment options

“Card-on-File” to streamline front desk operations
Payment Plans – Create scheduled payments for specific dollar amounts
Recurring Payments – Wellness programs, subscriptions, etc

So, is it safe for my private practice to store credit card data?

Absolutely not! But, leveraged with the right merchant processor offering P2PE + Tokenization tools and technology, your private practice is doing everything possible to offer a safe place for your patients to come for treatment. If your merchant processor does not offer P2PE, they are neglecting fact based research that shows merchants with a P2PE solution have fewer card data breaches than those that don’t. Published by the PCI-DSS, following is list of all payment platforms that are enabled with Point to Point Encryption P2PE.

Tom Cooley, CEO of Go CardConnect, offers secure payment solutions for the Physical Therapy market. Tom also works closely with technology providers in the Physical Therapy space as well as third party software vendors to integrate our payment technology. “Physical Therapists choose Go Cardconnect due to the wide range of payment options available, low rates and personalized service. Contact Tom @ Go CardConnect today for further details on how we can help