Online Payment Pages: How to Reduce Your PCI Scope and Liability


Many businesses offer online bill pay options as an added convenience for their patients and as a way to get paid faster. That’s a smart move! But, did you know that your liability and scope of PCI security requirements differ depending on where and how the payment form on your website is hosted? This week we’re diving in to three different types of online payment pages.

What does "hosted" mean you ask? Hosted refers to where the payment form lives and where the payment information that has been entered on the page goes after the patient clicks on Submit or Pay Now.

Top three types of online payment pages

Outsourced payment page - With the outsourced payment page, the form on which your patients enter their payment information is embedded via iframe on your website. It appears that the patient is making a payment on your website but in reality all of the payment info is being posted to a third party payment processor. The payment processor hosts the payment page on their servers safeguarding cardholder data from the practice.

Once the patient has entered submitted all of their information, they are taken back to the practice's main webpage and can continue to browse. Benefits for this kind of payment page revolve around simplicity and speed of payment because the patient does not have to leave your website.

Self-hosted payment page - In this scenario, the practice has built their own website and their own payment form. Payment data from the self-hosted payment pages are delivered from the practice's website then submitted to the payment processor. Practices maintain complete control over the payment process however carry more liability and remain within full scope of PCI.

Redirection link - This is the most common process because it greatly minimizes PCI scope and reduces liability for a practice. In this scenario, the patient would click on a "Pay Online" button from the practice's website which would then redirect the patient to a separate, third party site/payment processor (such as Corral) where the patient would then enter their payment information. The payment processor hosts the payment page on their servers safeguarding cardholder data from the practice.

Ex. Patient goes to www.yourpracticename.com, clicks on Pay Online link, is then redirected to https://secure.corralsolutions.com/yourpracticesuniqueidentifier

How can Corral help?

[endif]--At Corral, we provide our clients with a link that they can add to their website. By using Corral, this is considered as using a redirection link to process your online patient payments. This directs the patient to a secure payment portal away from your website and we take care of the rest! Security for your patients, less liability for you.

Sources

https://www.pcicomplianceguide.org/saq-a-vs-a-ep-what-e-commerce-merchants-service-providers-need-to-know-now/

http://blog.securitymetrics.com/2014/12/outsource-ecommerce-payments.html

http://blog.securitymetrics.com/2016/04/making-pci-compliance-work-for-you.html ![endif]--


Featured Posts
Recent Posts