How Healthcare Providers Can Reduce PCI Scope with Semi-Integrated Payments

HealthcareData breaches have plagued the U.S. market for a long time. Within the healthcare industry, providers are the worst affected. According to the HIPAA journal, 329 data breaches were reported in 2016, in which over 16 million records were exposed. Based on IBM’s Cost of Data Breach Study, healthcare organizations have an average cost of $355 per stolen record. That would put the total cost of 2016’s data breaches at a staggering $5.6 billion. Apart from compromising healthcare records, these data breaches can also involve a provider’s payment infrastructure. If these systems are not secure, sensitive payment data can also be stolen, which inevitably leads to fraud.

To help solve this, the healthcare industry needs a more flexible approach to streamline its payment process, enhance payment security, and manage PCI scope. This is where semi-integrated payments can help.

HealthcareOur recent blog post explained the difference between a semi-integrated payment architecture and a fully integrated system. In a semi-integrated environment, the communication between the payment terminal and the healthcare revenue cycle (point of sale or POS) system is limited to only non-sensitive commands. This means that any sensitive payment information never passes through the healthcare revenue cycle system. Let’s take a look how it works:

With semi-integrated payments, the amount due is generated by the healthcare revenue cycle system and sent to the payment terminal. Once the card holder uses a card for payment at the terminal, the credit card data travels directly to the transaction processor for payment authorization. The authorization response from the processor is sent directly to the smart terminal, which forwards the confirmation to the healthcare revenue cycle system. 

In this payment environment, sensitive card data never comes in contact with the healthcare revenue cycle system or the provider’s back office infrastructure. This strengthens payment security while it reduces the PCI scope. In the event of a breach or attack on a healthcare provider’s revenue cycle system, cyber criminals won’t gain access to any credit card information because the system didn’t come in contact with it. 

Benefits of Semi-Integrated Payments for Healthcare 

A semi-integrated payment environment brings many benefits to healthcare providers. Here are a few reasons to adopt this new architecture: 

1. Improved Security and Encryption: Eliminates cardholder data from the revenue cycle system

With a semi-integrated payment solution, healthcare providers can reduce their vulnerability to data breaches by keeping sensitive card data out of their revenue cycle environment. A typical semi-integrated solution is also compatible with payment security technologies such as point-to-point encryption (P2PE), which encrypts and protects payment card data as it’s transmitted from the payment terminal to the payment processor. This provides additional security and renders the encrypted data useless to attackers, even if they manage to compromise the transmission. 

2. Reduced PCI Audit Scope: Saves valuable time and money

By keeping the healthcare revenue cycle system and back office systems out of the transaction flow, semi-integrated payment solutions reduce PCI scope. For healthcare providers, this can result in huge cost savings on compliance and increase the chances of a successful PCI audit. It also saves time because a PCI audit takes less time with a semi-integrated solution than it does with a fully integrated environment

3. Complete Control: Separates the revenue cycle system from payment

As payment technology moves forward, healthcare providers need to be more agile and responsive to changing customer demands. A semi-integrated solution separates the merchant’s systems from the payment process, which allows them to adopt changes or upgrades to their point of sale or back office systems without affecting payment security. 

Given these benefits and the need for stronger security, healthcare providers should consider a semi-integrated approach when upgrading their payment solutions. It provides an easy path to streamline the payment process while reducing PCI scope and greatly improving security. It also saves time and money by helping providers future-proof their payment infrastructure for what may come next. 

To request more information about our healthcare solutions, click here.


Jeffrey Fountaine is Director, Healthcare Strategy at Ingenico Group, North America 

Share your comments