Summary:
The overall goal of a convergence vision for the healthcare industry is to leverage available technology components to add healthcare identity authentication applications to the existing payments infrastructure. The Smart Card Alliance Health and Human Services Council developed this white paper to outline a vision for healthcare identity authentication and payments convergence and to provide insight into the opportunities and challenges afforded to the healthcare community as the U.S. migrates to EMV.
The United States is currently in the process of adopting EMV1, a global standard used by payment applications residing on chip cards2, point-of-sale (POS) systems, and payment terminals. The U.S. move to EMV chip payments is driven by the payments industry’s desire to reduce card fraud, provide global interoperability, and enable safer payment transactions. Meanwhile, healthcare-related fraud is at an all-time high, with billions of dollars lost annually. Clearly, there is an immediate need to increase security for healthcare identity authentication and payments as well.
The pace of U.S. EMV migration is accelerating. Merchant and consumer education campaigns are increasing public awareness of EMV. According to the EMV Migration Forum, over 400 million EMV chip cards have been issued in the U.S. as of the end of 2015, with over 60% of consumers having at least one EMV chip card in their wallets.3
Most major retailers have converted legacy POS systems to systems that include smart card readers that can accept EMV-compliant chip cards; many have also included support for Near Field Communication (NFC) and contactless payments as part of the conversion. U.S. retailers are making strong progress in migrating their legacy infrastructure to support EMV chip payments, with over 750,000 merchant locations enabled as of January 2016.4
Smart card technology and applications are supported by global standards that are used by application and device developers to meet interoperability and other requirements. EMV, managed by EMVCo5, is the globally adopted payment standard used to implement EMV chip payment applications. Other smart card technology standards are developed by the international community6 and incorporated into the EMV specifications or used in EMV implementations.
The emergence of the EMV-enabled POS infrastructure enables the convergence of healthcare identity authentication and payment; that is, for the healthcare industry to use available smart card and EMV technology to add healthcare identity authentication to the payments acceptance infrastructure. By leveraging the EMV migration and consequent shift in POS technology, healthcare smart cards and the hardware infrastructure to support them are becoming a reality.
Overview:
Healthcare identity authentication and payment convergence can be realized through a variety of technological options, with either front- or back-end integration. Back-end integration requires agreement on a platform definition (including API functionality) across a network of payment and healthcare provider systems.
In addition, having a financial processor’s system perform transactions directly with a healthcare provider’s system requires significant security oversight and compliance. In contrast, front-end integration at a POS terminal or on a smart card can be managed without cross-industry involvement; both smart cards and POS terminals are designed to support multiple applications (e.g., an EMV payment application and a healthcare identity application).
Front-end integration using multiple applications on a smart card could be accomplished by leveraging the GlobalPlatform card management standard7, running in the Java Card runtime environment, or using the MULTOS product platform.
To illustrate the ease of front-end integration to support convergence, this white paper presents four example scenarios, described below. Each scenario discusses integration requirements and benefits and risks of the approach.
The four example scenarios are:
Scenario 1: Two Chip Cards and One Multi-Application POS Terminal
Two chip cards perform independent transactions on the same POS terminal, which runs two separate applications to route transaction information to the appropriate back-end system.
Scenario 2: One Multi-Application Chip Card and One Multi-Application POS Terminal
A single chip card hosts two applications that use the same POS terminal. One chip card application manages financial payment transactions; the second application manages healthcare identity authentication. The POS terminal runs two separate applications to route transaction information to the appropriate back-end system.
Scenario 3: One Chip Card with a “Special” Payment Application
In a variation of Scenario 2, a special payment application on the chip card provides non-payment transactional support.
Scenario 4: Mobile Healthcare Transactions
Mobile transactions can use NFC with a POS terminal that supports contactless payment transactions. The mobile application could use a derived credential from any of the above scenarios to facilitate a mobile transaction for healthcare identity authentication or payment.
