This is a guest post by Barnard Crespi, Co-Chief Executive Officer of Datatel. Datatel is integrated with Sphere for secure payment acceptance via Datatel’s IVR solutions.

Learn how IVR Payment Solutions Can Help Healthcare Providers Relieve the Stress on Staffing and Business Operations Caused By the COVID-19 Pandemic

The COVID-19 pandemic has drastically impacted the functioning of healthcare providers across the board. Business leaders have been forced to recalibrate their entire operations, quickly activate business continuity plans, make staff reductions and/or reallocations and implement work-at-home policies where viable. The ability of healthcare providers to respond promptly to their patients’ phone inquiries, prioritize payment calls and maintain PCI compliance and data security as staff works from home can be compromised by the need for on-the-fly re-architecture of business and security processes to respond to rapidly changing developments.  For those healthcare providers seeking a solution to what might very well end up becoming a long-term issue, IVR payments can be a vital payment acceptance solution.  Implementation of IVR payments can help healthcare providers relieve the stress caused by the need for significant staff changes while enabling them to continue processing patient payments.  All this without compromising customer service or PCI compliance.

IVR Payments  (Interactive Voice Response) is a technology that allows patients to make payments over the telephone by interacting with an automated system, as opposed to having to  provide their payment card information  to a live agent. Because it is fully automated, an IVR payment solution can operate 24/7 as opposed to being limited to a business’s normal hours of operation (“normal” being an ever-evolving concept in these uncertain times). And for those healthcare providers that for various reasons still require the involvement of an agent or staff member in the process, IVR can be deployed in such a way as to allow representatives to speak to patients and then  transfer the call seamlessly when it’s time to collect and process the caller’s payment information.

Types of IVR Payment Solutions

There are two primary types of IVR payment solutions.

  1. Customer (Patient) Self-Service – IVR Payment Solutions:

With Customer (Patient) Self-Service IVR payments, your patients call into your organization’s existing phone number and select “Payments” from your front end phone menu (e.g. “To Make A Payment Now, Press 1”. You can set it as 1, 2 or 3 which ever works best for your organization). Your phone system will transfer the call to your DatatelPay-By-Phone line, which is branded and configured to your specifications. Your patients can make a payment using their payment card, in a PCI compliant environment with transactions processed in real-time to your Sphere, Powered by TrustCommerce account. Datatel’s IVR Payment platform is integrated to the Sphere/TrustCommerce gateway so organizations can process payments securely. Sphere’s experience in integrating patient payments for hundreds of leading health systems over the last 15+ years gives comfort to patients and providers that their data will be kept secure.

  1. Agent Assisted – IVR Payment Solutions

While your representative is speaking with a patient, he or she can transfer your patients to the DatatelPay-By-Phone line when it comes time to collect the patient’s payment information. Your representative can then exit the call, thereby ensuring the confidentiality of your patients’ payment card information. This solution leaves your patients confident that their information is safe and secure and you can rest easy in the knowledge that your phone payment solution support your PCI compliance.

Datatel’s IVR Payment Solutions can help you manage call payment activity efficiently and securely. Among its many advantages are:

  • Your patients can securely make phone payments 24/7, outside your regular business hours
  • The stress on your staff is reduced and your operations are more efficient and responsive by not having to devote time to handling payment-related calls. This can also work with representatives who are re-deployed to work from home.
  • Compliance with industry security requirements (PCI and HIPAA) and keeps you in compliance while you re-deploy your workforce.
  • Transactions flow directly into your existing Sphere, Powered by TrustCommerce account without having to make any changes.
  • Datatel posts the payment information back to the EHR automatically.
  • Datatel IVR solutions can be deployed in a matter of days. Depending on the complexity of the deployments, implementation times can take as little as 5 to 12 business days.

We are hopeful that with the efforts of medical experts and scientists globally, the current COVID-19 pandemic and the impact that it has on all of our lives will begin to subside. Businesses and organizations that are  burdened with coping with all of the implications need to make sure that they are not just making decisions that help them navigate the here and now, but that will also serve them well when things eventually return to normal (or whatever the new normal ends up being).

In turbulent times like the ones we are experiencing, when the situation changes throughout the day and reaction time is of the essence, our experienced and dedicated teams of IVR Payment Solutions specialists can have your IVR Payments Solution up and running in a matter of days with no need for any hardware or software for you to buy or install. Contact us, we are here to help.

 

 

ISV Insights on Payments and Compliance

By Dr. Heather Mark, CCEP

The complex puzzle of PCI DSS compliance can be made more challenging for merchants when they introduce the wide variety of service providers that they use in order to service their customers.  Increasingly, Independent Software Vendors (ISVs) are working to simplifying their merchants’ burdens by introducing integrated payment functionality.  In essence, the ISV is presenting a one-stop opportunity for merchants to support their business management objectives – be it through back office support, inventory management or billing – while also enabling payment functionality.  In doing so, the ISV may inadvertently become the de facto resource for merchants on all things PCI DSS related.  So, what are some things that ISVs can do to help support their merchants in achieving and maintaining PCI DSS compliance.

#1 – Understand your own PCI DSS compliance obligations and status

It isn’t uncommon for an ISV to be new to the payments ecosystem. Even for those companies that are deeply ingrained in the payments chain, the compliance and security obligations facing payments companies can sometimes get confusing.  As an ISV, it is important to understand whether your integration of payment functionality renders you a Payment Service Provider, as defined by the PCI SSC.  A Payment Service Provider is an entity that stores, processes, or transmits cardholder data on behalf of another entity, or can impact the security of the transaction.  If the ISV integrates payments in such a way as to fall into that scope, then the ISV must validate compliance with the PCI DSS.  Merchants must use PCI DSS compliant service providers, so it’s important that ISVs are prepared to provide their Attestation of Compliance (AOC) to their merchants.

If the ISV is able to offer payments functionality without falling into the Payment Service Provider scope, then the entity must be able to clearly articulate how they are able to maintain that status.  For example, if the ISV has partnered with another PCI-compliant service provider to offer a hosted payment page, and the ISV does not host, nor does it redirect to that page, then it may be possible to remain out of scope. This is dependent on the ISV integration and the current guidance from the PCI SSC and the card brands.

#2 – Implement Industry Best Practice Even if You’re Not in Scope

Even if an ISV is able to maintain a posture that keeps it out of scope for PCI DSS, it is important to maintain industry best practice for data security and privacy.  Having good security practice is not just necessary for those companies that are obligated to  PCI DSS.  Most states have data breach notification laws that offer safe harbor for encryption of sensitive data, as long as the encryption keys are not also exposed.  Additionally, states are rapidly moving towards the adoption of privacy laws, most of which have data protection requirements.  Maintain compliance with industry standards such as PCI DSS, even in the absence of card scheme requirements, can put an ISV, and by extension their clients, in good stead with respect to existing and forthcoming regulatory requirements.

#3 – Explain the Payment Integration Options that You Offer and their PCI Implications for Your Merchants

For ISVs that are looking to add payments functionality, it’s important to understand how that choices you make about the payment solutions you integrate cascade down to merchants.  For instance, if an ISV integrates a hosted payment page the likelihood that the merchant will be able validate their own compliance using the SAQ-A is fairly high.  However, if an ISV integrates and offers a redirected page, the merchant is more likely to be required to validate using an SAQ A-EP, which is a much longer questionnaire.  Both may be valid choices for a variety of reasons, but ISVs should understand the implications on their merchants

#4 – Clearly Communicate Who Owns What Responsibilities

The interplay between merchants and service providers can be complex, particularly if merchants are able to select services and features a la carte.  This can lead to uncertainty as to which entity might own responsibility for various security controls.  ISVs can demonstrate partnership with their merchants by providing a “shared responsibility” matrix.  The matrix doesn’t need to be very complicated, but it should clearly delineate which PCI responsibilities belong the ISV and which belong to the client.  Since all merchants must comply, and any business with a Merchant Identifier (MID) must validation compliance, this documentation can significantly simplify their own process of PCI compliance management.

PCI DSS compliance is a fact of life for any participant in the payment system.  Understanding how your decisions as an ISV can impact the compliance standing of your client portfolio can help you make more informed decisions about the solutions that you implement and may simplify the compliance and validation process for your merchants.

Hosted Payment Solution ISV

We recently sat down with Curtis Bauer, Sphere Chief Product Officer, to learn about an innovative new product, Hosted Multi-Channel Payment Suite. This solution gives software vendors the power of accepting payments via many channels through one single integration.

Q1: You recently launched a hosted payments product suite for software vendors, what sparked the solution?

Bauer: That’s actually an interesting story. The Sphere Product team is constantly thinking about ways in which we can solve ISV needs in the most impactful, secure, but lightest way possible. One of our most successful ISV solutions is our Premier hosted payment page, which enables ISVs to accept card not present transactions within their SaaS based solution, e-commerce site, mobile, text or even email. In fact, calling it a hosted payment page is probably a bit of an understatement as it somewhat minimizes its robust capabilities. ISVs love the product due to its simple integration, branding and style continuity, as well as PCI scope reduction.

The Product team thought about ways we might be able to leverage all of the benefits that are inherent with our Premier hosted payment page, but allow us to expand it into other user scenarios, including the ability to accept EMV card present transactions. The team came up with an idea to leverage a fairly underutilized technological approach, which the team theorized might allow us to connect a traditional EMV card reader to a PC and process EMV transactions through a browser, without the need to install software on the desktop or leverage any antiquated java scripting to communicate with the EMV device. To test the theory, the Product team worked with our Development team and to make a long story short, the approach was proven to be viable and it ended up being the foundation for expanding our hosted payment page into an entire multi-channel hosted payment product suite.

Q2: What are the main problems this solution solves?

Bauer:  ISVs have four critical challenges as it relates to adding payment acceptance to their core product solution:

  1. How do they enable payments to their solution with the least amount of development effort
  2. How do they enable payments in a way that does not interrupt the user experience, keeping the same look, feel and flow
  3. How do they enable payments across multiple acceptance use cases
  4. Possibly the most important challenge, how do they ensure cardholder data does not reside within the ISV’s platform, minimizing their PCI footprint, while protecting their customers from cardholder data breaches

Our new hosted payment product suite solves for these critical challenges and much more. ISVs face so many challenges with bringing their products to market. As a payment processor and gateway platform, we have a responsibility to ensure payment acceptance doesn’t become one of those challenges, but more importantly, ensure payment acceptance enhances their core product offering to improve the overall value proposition to their customers.

Q3: How can this product suite fit into software vendors business models? Can you share an example?

Bauer: One of my favorite examples is an ISV that creates business management software for a bakery. Let’s say that the bakery sells their products from a retail location. They need the ability to accept card-present EMV transactions from their in-store customers through the ISV’s SaaS-based business management solution. The bakery also has a website where they accept orders for birthday cakes or other items, in which they need the ability to accept credit card transactions online. The bakery also has a cookie of the month club, where subscribers pay a monthly fee to enroll into receiving a dozen of their specialized cookies each month at a discounted price. The bakery needs the ability to accept a credit card, either in person or online, and then setup the card for a monthly recurring subscription billing. Finally, the bakery also takes orders over the phone for delivery. They need the ability to accept credit card information over the phone and process the transaction securely. Our hosted payment product suite not only provides the ability for an ISV to enable accepting payments via all of these scenarios, but it also allows them to do so while ensuring sensitive cardholder data is never stored within their platform, but is instead transmitted, processed and stored within the Sphere secure gateway. In addition, this only requires one simple integration, which allows the ISV to spend more time focusing on enhancing their core product instead of allocating precious development resources to managing their payment acceptance program.

If you would like to learn more about the Hosted Multi-Channel Payment Suite, read the fact sheet.


Curtis Bauer, Chief Product Officer, brings more than two decades of payment industry experience with a core focus on Product, Technology and Corporate strategy. He has held Senior Leadership roles at TSYS, TransFirst and Vantiv. He is responsible for identifying and executing on our product strategy to help deliver growth by providing innovative solutions to our customers.