facebook noscript

PCI Data Security at the Intersection of Healthcare, Payments, and Fintech

April 29, 2021
Data Security

As divided as the U.S. may be in recent years, there’s at least one issue the vast majority of us seem to agree on: the price of healthcare is out of control.

As healthcare costs continue to inflate faster than other goods or services, healthcare premiums also grow. Whether through an employer or direct, people are often stuck with higher-deductible health plans just to be covered. Out-of-pocket costs for copays or the deductible can result in debt, unpaid bills, or perhaps worst of all, the person choosing not to get care.

“Affording care” is a problem that’s ripe for disruption - and that’s just what VGS customer Paytient is doing by addressing affordability at the point of care. Paytient is the tip of the spear on understanding and addressing the out-of-pocket expenses members face.


Paytient gives employers or health insurers the ability to offer a Visa credit card with funds users can access to pay medical, dental, vision, pharmacy, or veterinary providers, so unexpected, out-of-pocket expenses become manageable payment plans. It’s credit as a benefit, with no interest or fees. In the end, Paytient helps people better access and afford healthcare today.

Last week, Fintech Futures held a webinar with Very Good Security’s own Peter Berg, VP of Business Development & Strategy, and the Founder and CEO of Paytient, Brian Whorley. Here are some of the key takeaways.

Healthcare + Financial Services = Extremely Sensitive Data

As a reader of this blog, you know the drill: healthcare information, personally identifiable information (PII), and cardholder data are all forms of extremely sensitive data. Put them all together, and kaboom! Regulation mania – SOC 2, HIPAA, PCI DSS (Payment Card Industry Data Security Standard).
But for Paytient, data security is about more than just meeting regulatory requirements. It’s about building customer trust. Brian shared, “We thought about how we treat personal and regulated data security as a core question for the member experience. When someone is sick, they want to get better, they certainly want to find the most painless way to pay for care, and they certainly don't want to worry about the security of their data.”

Build Security in from Day Zero

Part of Paytient’s success stems from treating data security as a customer experience issue. In the webinar, Brian spoke of the healthcare fintech’s mission as “a privileged position enabled by trust.” With this ethos at the core of what they do, Paytient set out from the very beginning to find solutions and service provider partners that would help them accomplish their mission.

“We took the time and energy to kind of engineer and build a product that does what people expect it to do… It's the simple things done exceedingly well, day in day out, that build trust, and having high security is not an option - that's a requirement that's what people expect. VGS helps us to deliver a trusted experience for folks, and that is taking one big worry off the table,” Brian explained.

Don’t Clip Your Wings

Peter shared that starting early like Brian and the Paytient team was precisely the right way to go. He suggests starting on the information security problem early before it becomes an actual problem. "We've seen a number of customers and other companies that essentially twist themselves into pretzels, trying to avoid regulatory or security issues, and what they end up doing is actually clipping their own wings, so to speak, where they're limiting what they're able to build and limiting the features that they're building because they're trying to avoid touching certain types of data or having it hit different systems. And I think as companies grow and build and their tech stack becomes more complex, they find that data is flowing in places they weren't initially anticipating, and now it's a data migration exercise or kind of a de-scoping exercise.”

Security or Speed? Both!

One key to Paytient’s mission is getting to market quickly to start helping people access care. Brian said, “There's a lot of preventable harm out there, and we're in a position to help folks, and so we want to get out there as quick as we can. And for us, we felt VGS provided a modern ability to build in a very secure way to not trade off security for speed; we can have both. That's how we work with them to protect a whole range of different classes of data that our members would expect us to treat securely and in high regard.” He went on to emphasize that by outsourcing their PCI and data security, they can ensure that they're not compromising security for speed. “We're at the intersection of two highly regulated industries and we need to make sure that that is table stakes for the product that we're ultimately putting out into the marketplace.”

Watch the Webinar

There’s so much more covered in the webinar, including the cost benefits of outsourcing PCI compliance (financial + opportunity), 3 ways to ensure your product gets to market in a PCI compliant way, the relationship with a QSA (qualified security assessor), and suffering as a service. Watch now to get the complete picture!

Stefan Slattery Stefan Slattery

Head of Growth Marketing


You Might also be interested in...

Data Security & Privacy a Competitive Differentiator

Data Security & Privacy: a Competitive Differentiator

Kenneth Geers, PhD May 13, 2021


What is Buy Now, Pay Later – and Why is it BIG News?

Stefan Slattery April 21, 2021

VGS Blog Post Remote Work 2

How Very Good Security is embracing a remote work culture

Laura Stamp April 20, 2021