How does credit card processing work?
The cast of characters that intervene between the merchant (you) and your patient/client’s credit card can be overwhelming to understand. Each component organization plays a vital role, yet also wants their piece of the pie during credit card processing. They all have fancy names, too, which makes it even more confusing. Let’s take a look at the anatomy of a typical credit card transaction.
Here are the steps in the order in which they occur for charging a credit card:
|Patient/client enters card info into patient portal, or provider does it in EMR/EHR.|
|Credit card data is stored securely in a payment “gateway” account.|
|Provider (the “merchant”) or patient/client enters an amount and clicks “charge credit card” inside the EMR/EHR or in a patient portal.|
|EMR/EHR platform “requests” the credit card information as needed via a “token” from the gateway. The necessary data is transmitted in a secure, encrypted format.|
|The transaction is run via a major credit card network – for example, Visa or MasterCard.|
|The “issuing bank” (the one who is funding the patient/client’s credit card – for example, Bank of America) approves (or denies) the transaction based on the credit limit and other factors in the credit card account.|
|If the transaction is approved, the medical record gets updated with the transaction info.|
|The money is transferred from the issuing bank to the merchant’s checking account.|
|The patient pays their credit card bill to the issuing bank. If the patient/client doesn’t pay the bill in full, they pay interest to the issuer.|
Those credit card processing companies that help facilitate the transaction take their fees out once the transaction is successful and before the money is deposited into the merchant’s account.
- Major credit card networks (Visa/MC, etc) – charge a per transaction rate and fee. This is known as the “wholesale” or “interchange” rate.
- If a patient/client uses a “rewards card” (like for frequent flier miles, or “1% cash back”), those rewards are added to the patient’s/client’s credit card account. Because of the cost of these rewards, Visa/MC may charge higher rates. There are more than 1500 types of rates that are charged!
- The merchant service processor adds on fees for the technology it provides in tapping the network, for providing the infrastructure for merchant accounts, and maintaining support to the merchant.
- If the merchant service processor does not provide their own in-house gateway, you may have to pay fees for secure credit card storage or surcharges.
So, how do Paypal, Stripe, Square and others charge the merchant a flat rate with so many variables?
They have figured out the average cost of the real charges, then charge more on average per transaction. That’s how they profit. By providing minimal customer service, that also keeps their costs low.
But isn’t that simpler?
Well, it’s nice to know that every transaction will have the same charge … as long as you’re okay with it costing you more money most of the time.
What about “as low as 1.49%” rates? That sounds good!
Yes, except virtually no credit card transactions qualify for this rate. So, they can advertise it until the cows come home, but you will rarely benefit from it (unless the patient/client uses their credit card as a debit card). So, you default down to lower rates, which they call “qualification” because that sounds nicer. The rates can explode from their – as high as 3.9 %. Plus, if you don’t want to physically swipe your patient’s card using a card reader device, you are automatically disqualified from that rate because there is a higher risk involved (like, you could have stolen credit card info from somewhere else).
What if my patient/client uses a debit card? Isn’t the wholesale rate lower?
Yes, so those merchant companies charging a flat rate just make more profit. Lovely for them, but the merchant doesn’t benefit unless their charges are in alignment with the wholesale/interchange pricing.
If I use Square, Paypal or Stripe, I’m PCI compliant, right?
No. That’s like saying if you use an EMR that signs a Business Associate Agreement with you, you are HIPAA compliant. Ultimately, the entire practice, in its entirety of business practices, determines PCI and HIPAA compliance. You are still responsible for demonstrating both HIPAA and PCI compliance. Paypal, Stripe, Square, etc. make that process secure, but also don’t give you any tools or help with it – another way they keep their profit margin intact. So if you want help on your own, a typical cost would be around $400/year.