What every NHS trust finance manager needs to know about payment security

07 November 2017

By Andrew Davies, Product Development & Strategy Director, Pay360

An unusually good piece of news came out in the media recently, reporting that the amount of money stolen from credit and debit cards has fallen significantly, with banks now managing to stop two-thirds of attempted fraud.

Great news. However, it’s also true that payments continue to be target and is a continually evolving area of crime. Financial Fraud Protection UK, responsible for leading the collective fight against fraud in the UK payments industry, publish statistics showing that, although measures in place at UK banks and card issuers have detected and prevented the equivalent of £6.40 in every £10.00 of attempted fraud, fraud losses on UK-issued cards totaled £618million in the UK alone in 2016.

This is an important message for all of us – we’re moving increasingly towards a cashless existence where it’s rare not to be offered other payment options, including chip & pin, contactless payments and biometrics using finger or iris verification. With the decline in using cash comes the rise of these other options, which is why security is so important to organisations looking to instill consumer confidence.

How the public sector benefits from offering card payments

So, with the inherent risks, why would a public sector organisations such as the NHS wish to extend the options of paying by card in the first place? Although it seems obvious why a private business would wish to provide various means of paying (not the least of which to make it as easy as possible for the customer to buy their products or services), some might question why the public sector would need to do the same.

The answer lies in the need for exemplary customer service combined with efficient, streamlined workflows which ultimately save money on administration. If, say, a visitor to a hospital needs to park their car for a couple of hours, or a mum-to-be would like a copy of their baby’s 12 week scan, how much easier can you make it for them, and your staff, by offering the option of card payments? And with those patients who pay for their treatment, say overseas visitors or private patients, think how much administration time can be saved when fees can be paid instantly by simply presenting their card - an easier, smoother experience for all, patient and staff alike.

Ensuring security comes first

With the acceptance of card payments comes the responsibility of ensuring these payments can be made safely - not only is compliance with PCI DSS (Payment Card Industry Data Security Standard) essential, but you need your customers to feel confident that their card details are protected. Not to mention the need to minimise the risk of fraudulent payments to protect the income of your trust.

Let’s look at the regulations and standards: failure to comply with the relevant data security standards renders any organisation responsible for any losses through fraud and likely to face considerable fines and legal fees. In a similar vein, the introduction of the General Data Protection Regulation in May 2018 brings with it the potential for fines of up to 4% of turnover for failure to comply. And if you’re taking card payments by telephone, you should be working with a formally accredited PSP (Payment Service Provider) who will handle the connections and relationships with network providers and acquiring banks. They undergo a rigid PCI annual audit and will have invested significantly in time, money and resource to achieve and retain this compliance.

Equally important is the fact that your patients and visitors will suffer if their card details or information are compromised. This can lead to a loss in confidence on their part, and they may insist on making future payments by other means. Those channels, including taking cash, can often be less attractive, usually because they’re more labour-intensive and therefore cost your organisation more to administer.

It doesn’t stop there, of course - wider consequences can include negative publicity that discredits your organisation’s reputation – no-one wants to be in the news for a security breach, and particularly not when there are measures you can take to safeguard against this happening in the first place.

Five ways to ensure secure card payments

The five main rules of thumb to stay on the right side of the law whilst protecting those who make payments to you:

  1. Select your PSP carefully
    When choosing a Payment Service Provider to work with, select one with a proven track record around card security and a significant, established presence.
  2. Don’t hold card details on your own infrastructure
    Look for a Cloud-based PCI DSS certified service, hosted in a certified data centre, that ensures that no card details are stored on your own infrastructure.
  3. Protect your staff and those making payments
    If taking payments over the phone, ensure staff don’t ask the payer to provide card details in a way where they either see or hear these. Your staff would ideally pass the payer seamlessly to an automated service which allows them to enter details using the telephone keypad.
  4. Keep any details as a ‘token’
    If card details are to be stored (in a certified data centre) either for re-use on future payments or for a schedule of payments, ensure these are held in tokenised form, instead of the actual card number being kept.
  5. Use encryption for when the cardholder is present
    For cardholder-present payments, P2PE (Point to Point Encryption) ensures that sensitive data can’t be intercepted at any point between the card entry device and the verification service.

If it seems that offering card payments means having to jump through hoops, it’s worth remembering that it will pay off - providing a range of convenient and secure ways to pay helps increase trust revenue flow and reduce the level of arrears, not to mention the numerous possibilities for reducing administrative costs. The key is simply to play by the rules, and to seek expert advice if you’re not sure what these are.

Pay360 by Capita works in partnership with an increasing number of health trusts throughout the UK and beyond, providing a range of secure, easy to use payment solutions to reduce costs and improve efficiency.

To find out more, please call 0161 627 9706 or email Pay360@capita.co.uk