The U.S. migration to EMV chip technology – intended to reduce card fraud, provide global interoperability, and enable safer payment transactions – may prove to be a valuable move for more than just the payments industry.
The health care industry can benefit from the chip migration, too. By leveraging this new infrastructure and adding health care identity authentication applications, the health care industry has the opportunity to significantly reduce the massive $68 billion-a-year fraud problem and improve patient identity authentication.
The U.S. EMV chip migration in the payments industry is moving at a good pace. According to the EMV Migration Forum, more than 400 million EMV chip cards have been issued in the U.S. as of the end of 2015, with more than 70% of consumers having at least one EMV chip card in their wallets. Most major retailers have converted legacy point of sale (POS) systems to systems that include smart card readers that can accept EMV-compliant chip cards; many have also included support for Near Field Communication (NFC) and contactless payments as part of the conversion. U.S. retailers are making strong progress in migrating their legacy infrastructure to support EMV chip payments, with more than 1.2 million merchant locations currently enabled.
With this transition to the EMV-enabled POS infrastructure, health care identity authentication can converge; the health care industry can use available smart card and EMV technology to add health care identity authentication to the payments acceptance infrastructure. By leveraging the EMV migration and consequent shift in payments acceptance technology, health care smart cards and the hardware infrastructure to support them are becoming a reality.
Here are some possible scenarios for this convergence:
Scenario 1: two chip cards and one multi-application POS terminal. In the simplest scenario, two chip cards use the same POS terminal for the financial transaction and for identity authentication. The terminal is the convergence point for all health care identity and payment transactions.
In this scenario, the POS terminal has one application that reads an EMV-compliant chip card to implement payment transactions and a second health care identity authentication application to read the health care card.
One of the major benefits of this scenario is that the EMV chip card issuer does not have to be involved with the health care identity card issuer, making secure card provisioning much easier and eliminating the need for commercial agreements to be in place.
Scenario 2: one multi-application chip card and one multi-application POS terminal. Smart cards can store multiple applications securely on a single chip using a combination of data encryption and security domains. However, using a single multi-application card at a single multi-application POS terminal requires application integration both on the card and on the POS.
This approach has several advantages. For one, EMV chip card issuer data is securely managed and invisible to the health care application provider, and vice versa. Plus, both the health care application and EMV chip application reside on the same card. The EMV chip card issuer is the payment brand owner and the health care application provider is the co-brand health care identity partner.
Scenario 3: one chip card with “special” payment application. In this scenario, a single chip card would have a “special” payment application that supports EMV chip payment and also allows non-payment data to be stored within the application on the card. Such a data storage application could be used to support a profile that authenticates the cardholder to healthcare applications and also identifies any entitlements specific to the cardholder.
Although certification is required for the “special” payment application profile, one of the benefits of this scenario is that the payment applications themselves are already available, tested, and available in the market. As another benefit, financial issuers can provide this service as a service offering to managed health care identity partners.
Mobile is another consideration. An NFC-enabled mobile device could be provisioned with the applications described in any of these scenarios by downloading a mobile app. The payment or health care identity authentication transaction is done by tapping the mobile device on the contactless POS terminal. The mobile device can also support a biometric factor or a password for extra security. Transactions could be linked to a GPS mobile coordinate for post-processing activities.
An advantage in using mobile devices is that they can also support secure card-not-present transactions. Because the keys necessary for a financial or healthcare identity authentication application reside securely on the mobile device, a derivation of the keys could be used to sign a transaction that is completed in the cloud or on a networked server. This capability would offer significant benefits for enabling patient portal access and remotely managing patient continuity across multiple platforms.
Health care fraud, patient and record mismatching, and payments fraud are persistent challenges in the U.S. healthcare industry today. But with this vision and by leveraging proven smart card-based technology, including the proven EMV payments infrastructure, the health care industry can increase security, decrease payment vulnerability, reduce fraud and improve workflow for healthcare entities.
Randy Vanderhoof is executive director of the Smart Card Alliance. This column is excerpted and summarized from a recent white paper on health care authentication and payments convergence.