Is your Business Ready for Text Message Payments? Keep in Mind these 3 Security Considerations

When it comes to making important decisions that streamline the services you provide to customers, security is often the first measure that requires special attention. Text messaging as a communications and payment solution is rapidly being adopted across every industry – from restaurants and pharmacies to nonprofits, utility providers and beyond – due to consumers’ determination to stay safe and stay contactless in the Covid-19 pandemic.

There are key concerns that need to be considered when making an important business decision that can potentially expose customer information. Ensure that you select a partner that adheres to these key security considerations:

1. Certified Secure: PCI DSS compliant, SOC 2 compliant and HIPAA certified

1. Supports SMS Opt-In Guidelines and TCPA legislature

1. Includes Two-Factor Authentication and Payment Verification

Select a Certified Platform

Business owners must rely on their partner platform adhering to certified security standards. These certifications protect the customers’ information just as much as they protect your business and services.

• Ensure partnering with a company that is PCI DSS compliant. PCI stands for Payment Card Industry and DSS stands for Data Security Standards. So, if a company is PCI DSS compliant they are certified for data security by the Payment Card Industry. They have taken extra measures to protect merchants and their customers’ credit card information from being stolen.

• Be SOC 2 certified. SOC 2 is an auditing process that guarantees your partner securely manages your data to protect the interests of your business and customers. Certification means customer data is managed based on five trust service principles, and those are: security, availability, processing integrity, confidentiality and privacy. Outside auditors grant this certification based on compliance with one or more of the five trust principles. Its role in securing data is crucial.

• When it comes to healthcare, just about everyone is familiar with the term HIPAA. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Consisting of five sections (titles), it is U.S. legislation that sets data privacy and security provisions for safeguarding medical information, including medical records and other identifiable health information. HIPAA certification is recognizably important as it relates to data breaches and protection of patients’ personal medical information. Have you thought about what it means to be HIPAA certified in terms of text messaging with patients? Just as emailing between patients and healthcare professionals (even pharmacists) must be secure regarding their information and medical data, a text messaging feature that is HIPAA certified means you can communicate with patients in a certified safe way.

SMS Opt-In Rules and Tips

Partners will sometimes take the easy route of bulk messaging without attaining prior consent. While these are a surefire way to anger and lose customers, some carriers will even block bulk messages as spam – meaning your communication never reaches them.

Your text message solution partner should fully support SMS Opt-In guidelines. This means recommending that you issue an inaugural message inviting customers first with something along the lines of: “For your convenience and safety, we now offer the option to pay your bill through text message. Reply STOP if you would like to decline this convenient option. To reinstate pay by text, call the office at any time.”

Healthcare providers can include Opt-In language for text messaging in the organizations standard Release of Information form to streamline the process.

One such regulation in place to ensure consent is the Telephone Consumer Protection Act (TCPA). TCPA is a governing framework that affects how businesses can send messages to consumers. More specifically, it’s a federal statute enacted in 1991 created to safeguard consumer privacy, placing restrictions on voice calls, SMS texts and fax. Its main intent is to prevent consumers from receiving unwanted auto-dial calls and text messages.

TCPA’s legislature outlines that a consumer’s opt-in to receiving text messages must be documented and that they are able to easily opt-out at any time. It also specifies that text messages can only be sent between 8 a.m. and 9 p.m. in that consumer’s time zone, unless otherwise authorized by the opt-in agreement.

Authenticate and Verify

Two-factor authentication (2FA) provides an extra layer of security that ensures the individual trying to access an account is actually that person. The first layer is a username login and password, which is fortified by a second “factor” instead of immediately granting access. The second layer can come from a few different categories:

• Answering a secret question or entering a personal identification number (PIN)
• A credit card, smartphone or other item in their possession to prove identity
• Even biometric proof such as a fingerprint, iris scan or voice print

The double layers of authentication ensure that an account can’t be accessed if the username and password become compromised, there is still a second factor which is highly unlikely to be compromised as well.

Likewise, payment verification ensures the data used to make a payment is identical to the information on file. This could be something as simple as your billing information matching that which is on file with your credit card company. It’s a critical part of successfully paying by text message for both consumer and business owner.

Your partner should take data security very seriously. Incorporating the above considerations along with a fully encrypted authentication access method and other security measures should be built into the design and management of their solution. They should keep the protection of sensitive integrated partner and customer information top priority.