Support
Payments

What every NHS trust finance manager needs to know about payment security

New figures released in the updated 2023 Fraud Report show that reports of fraudulent attacks have increased yet again. An increase rise of 1,407 cases of fraudulent activity in April, May and June, in comparison to the first three months of the year, at a cost of £593 million. This takes the total fraudulently stolen cash to almost 3 and a half billion pounds in the past 12 months.

Business Advice Public Sector NHS Trusts

Posted 28/11/2023

It seems that cyber crime is never out of the news, with sophisticated attacks becoming more and more prolific, in some cases, hundreds of thousands of pounds from just a single intrusion. 

As we’re moving increasingly towards a cashless existence where it’s rare not to be offered other payment options, including chip & pin, contactless payments and biometrics using finger or iris verification. With the decline in using cash comes the rise of these other options, which is why security is so important to organisations looking to instil consumer confidence. 

How the public sector benefits from offering card payments 

So, with the inherent risks, why would a public sector organisations such as the NHS wish to offer the option of paying by card in the first place? Although it’s clear why a private business would wish to provide various means of paying (not the least of which to make it as easy as possible for the customer to buy their products or services), why would the public sector need to do the same? 

The answer is the need for first class customer service combined with efficient, streamlined workflows which ultimately save money on administration.  

If, say, a visitor to a hospital needs to park their car for a couple of hours, or a mum-to-be would like a copy of their baby’s 12 week scan, how much easier can you make it for them, and your staff, by offering the option of card payments?  

And with those patients who pay for their treatment, say overseas visitors or private patients, think how much administration time can be saved when fees can be paid instantly by simply presenting their card - an easier, smoother experience for all, patient and staff alike. 

Ensuring security comes first 

With the acceptance of card payments comes the responsibility of ensuring these payments can be made safely - not only is compliance with PCI DSS (Payment Card Industry Data Security Standard) essential, but you need your customers to feel confident that their card details are protected. Not to mention the need to minimise the risk of fraudulent payments to protect the income of your trust. 

As we know, failure to comply with the relevant data security standards means any organisation is responsible for any losses through fraud and likely to face considerable fines and legal fees. And if you’re taking card payments by telephone, you should be working with a formally accredited PSP (Payment Service Provider) who will handle the connections and relationships with network providers and acquiring banks. They undergo a rigid PCI annual audit and will have invested significantly in time, money and resource to achieve and retain this compliance. 

Equally important is the fact that your patients and visitors will suffer if their card details or information are compromised. This can lead to a loss in confidence on their part, and they may insist on making future payments by other means. Those channels, including taking cash, can often be less attractive, usually because they’re more labour-intensive and therefore cost your organisation more to administer. 

It doesn’t stop there, of course - wider consequences can include negative publicity – no-one wants to be in the news for a security breach, and particularly not when there are measures you can take to safeguard against this happening in the first place. 

Five ways to ensure secure card payments 

The five main rules to stay on the right side of the law whilst protecting those who make payments to you: 

1. Select your PSP carefully 

When choosing a Payment Service Provider to work with, select one with a proven track record around card security and a significant, established presence. 

2. Don’t hold card details on your own infrastructure 

Look for a Cloud-based PCI DSS certified service, hosted in a certified data centre, that ensures that no card details are stored on your own infrastructure. 

3. Protect your staff and those making payments 

If taking payments over the phone, ensure staff don’t ask the payer to provide card details in a way where they either see or hear these. Your staff would ideally pass the payer seamlessly to an automated service which allows them to enter details using the telephone keypad. 

4. Keep any details as a ‘token’ 

If card details are to be stored (in a certified data centre) either for re-use on future payments or for a schedule of payments, ensure these are held in tokenised form, instead of the actual card number being kept. 

5. Use encryption for when the cardholder is present 

For cardholder-present payments, P2PE (Point to Point Encryption) ensures that sensitive data can’t be intercepted at any point between the card entry device and the verification service. 

If it seems that offering card payments means having to jump through hoops, it’s worth remembering that it will pay off - providing a range of convenient and secure ways to pay helps increase trust revenue flow and reduce the level of arrears, not to mention the numerous possibilities for reducing administrative costs. The key is simply to play by the rules, and to seek expert advice if you’re not sure what these are.