Is Your Organization Exposed to a Data Breach?

By July 6, 2016 February 24th, 2020 HCEG Top 10, Privacy & Security

Data_Breach_Blog_Banner_6_28

 

 

 

 

 

 

 

Too often the theft of personal health information (PHI) or personally identifiable information (PII) can go undetected before law enforcement or FBI intervention. Last year alone, the healthcare industry experienced its largest healthcare data breach in U.S. history, compromising the data of nearly 80M health insurance members.

While insurers continue to be the target of sophisticated cyber-attacks, there are several ways to combat this threat. To start, the industry must learn to better understand both current and future threats and vulnerabilities. They must place a greater emphasis on cyber security to protect the information and data they are entrusted to mange by their customers, members, and patients.

In the individual health insurance market, payment facilitation relationships among health plans and other software companies are common, and assist with the facilitation of premium payment transactions paid by health plan members or the buyers. Serving as the merchant,the health plan may offer its benefit products both on and off public health insurance exchanges. To facilitate the large quantities of payments received, these relationships offer unique advantages to the health plan, shifting many functions and risks to the payment facilitator.

What is a Payment Facilitator

Payment Facilitators possess not only the power to accept payments, but also to disburse payments to third party entities. Offering services to a wide array of clientele, payment facilitators open up new doors for their stakeholders whom would otherwise not be able to perform critical business functions that affect their payment and transactional processes.

At the core of many businesses, including PayPal and Square, the payment facilitator model is typically employed by independent sales organizations, transactional processors, payment gateways, third party marketing firms, and/or web hosting companies. This model offers not only the power to accept payments but also to disburse them to third party entities.

Facilitating the credit and debit payments within payment ecosystems, payment facilitators or payment service providers (PSP) aggregate real-time transactions on behalf of merchants. And, without their services, small businesses, individuals, organizations, and charities would be incapable of fulfilling their transactional needs at the same level of ease. In turn, partnerships among individuals and/or organizations and payment facilitators have grown in both frequency and popularity.

In the individual health insurance market, payment facilitation relationships among health plans and other software companies are common, and assist with the facilitation of premium payment transactions paid by health plan members or the buyers. In this scenario, the health plan serves as the merchant, offering its benefit products both on and off public health insurance exchanges. To facilitate the large quantities of payments received, these relationships offer unique advantages to the health plan, shifting many functions and risks to the payment facilitator.

But how does this affect cyber security?

Becoming a payment facilitator is no easy feat. The process is undoubtedly complex and requires confirmation of the organization’s financial status and viability, proof of insurance, as well as other documentation obligatory for entering into a binding agreement with an acquirer. The payment facilitator must also contemplate the kind of customer relationship management (CRM) platform it will secure and utilize to manage its merchants, undergo stringent background and credit verifications, as well as acquire the necessary tools for regulatory compliance and data credibility much as fraud prevention instruments to reduce the payment facilitator’s liability and risk.

But perhaps the most important step surrounds the payment facilitator’s requirement to validate its PCI DSS compliance, which is set by the PCI Security Standards Council. The PCI Security Standards Council, a global open body that is composed of representatives from the five founding global payment brands and strategic members, creates and enforces stringent payment security measures that merchants, financial institutions, and point of sale vendors must adhere to.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards (Visa, MasterCard, American Express, Discover, etc.). Formerly referred to as the Payment Application Best Practices (PABP), PCI DSS was established to provide a definitive data set for software vendors to deploy payment applications.

PCI DSS offers a benchmark of technical and operational requirements to protect and secure cardholder data, utilizing twelve core requirements:

July_Blog_Chart_Figure_3ver3

 

 

 

 

 

 

 

 

 

 

 

Figure 1 PCI Data Security Standard: 12 PCI DSS Requirements

With PCI DSS, the risk of data hacks and breaches are significantly reduced. From customers to merchants and financial institutions, the security of cardholder data affects everybody and can lead to devastating outcomes. Likewise, the concept of payment facilitation has also become critical to numerous small business, charities, and other organizations in meeting the demands of their customer base and their desired payment acceptance methods. Embracing new payment approaches and data exchanges, the payment facilitation model delivers a unique value proposition to its stakeholders fulfilling business functions that the merchant would otherwise not be able to meet.

Read more on the steps required to become a payment facilitator and the significance of PCI DSS in Softheon’s whitepaper:Payment Facilitators & Aggregators: The Payment Facilitator Model Stakeholders & Considerations.

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

https://www.pcisecuritystandards.org/pci_security/