PCI Compliance for Healthcare
Where Patient Trust and Payment Security Meet
Healthcare organisations face the unique challenge of managing PCI DSS compliance alongside HIPAA obligations — in environments with legacy systems, call centre card acceptance, and complex third-party billing arrangements. We navigate this complexity so your team doesn't have to.
Industry Overview
The PCI Compliance Challenge in Healthcare
Healthcare organisations collect card payments in more ways — and in more complex environments — than almost any other industry. A mid-sized hospital system may accept cards at the front desk, through a patient self-pay portal, via a call centre, through automated payment plans, and through multiple third-party billing vendors simultaneously. Each channel potentially brings different PCI obligations.
The interaction between PCI DSS and HIPAA is a defining feature of healthcare compliance. These two frameworks protect different data types but rely on overlapping infrastructure. Patient billing systems often hold both protected health information (diagnosis codes, procedure codes, demographic data) and cardholder data (card numbers, expiry dates). Designing controls that satisfy both regulators simultaneously requires a careful, integrated approach.
Healthcare also operates on legacy technology timelines that are incompatible with PCI's patching and upgrade requirements. EHR platforms, practice management systems, and billing software often have multi-year vendor upgrade cycles. When these systems are in-scope for PCI DSS, compensating controls must be designed, documented, and maintained until the system can be updated or replaced.
Our healthcare PCI work is built around these realities — not around a generic compliance framework that treats a GP practice the same as a SaaS company.
At a glance
Key Challenges
PCI Compliance Hurdles in Healthcare
Dual PCI and HIPAA Compliance
Healthcare organisations collecting patient payments must meet both PCI DSS for cardholder data and HIPAA for protected health information. The challenge is that these two frameworks share overlapping infrastructure but have distinct control requirements — and a gap in one can trigger regulatory exposure in both. Patient billing systems that co-mingle PHI and payment data require particularly careful scoping and control design.
Organisations that treat PCI and HIPAA as separate programmes often duplicate effort by 40–60% when shared controls are not identified.
Legacy System Risk
Healthcare payment environments frequently rely on EHR platforms, practice management systems, and billing software with long upgrade cycles — some running operating systems that have been end-of-life for years. Legacy systems that cannot be patched or upgraded must be compensating-controlled and often network-isolated, but many healthcare organisations lack documented plans for managing legacy in-scope systems under PCI DSS.
Legacy operating systems like Windows Server 2008 that touch cardholder data require formal compensating controls documented in your CDE boundary.
Call Centre Card Acceptance
Many healthcare providers collect co-payments over the phone — making call centres a significant and frequently overlooked PCI compliance challenge. Staff who verbally receive card numbers introduce substantial risk: informal storage (written on paper), access by non-authorised staff, and lack of recorded-call policies. PCI DSS has specific requirements for call centre environments that differ from online or terminal-based card acceptance.
Healthcare call centres accepting card payments over the phone are subject to Requirements 9.4 (media) and 12 (policy) in addition to standard CDE controls.
Third-Party Billing and Clearinghouse Integration
Most healthcare payment flows involve multiple third parties: billing services, revenue cycle management vendors, clearinghouses, and payment processors. Each integration point where cardholder data flows must be assessed for PCI compliance. Vendor contracts must include PCI compliance obligations, and annual attestations from key vendors must be collected and maintained.
A payment breach originating in a billing vendor does not transfer PCI liability away from the covered entity — documentation of vendor compliance is essential.
Patient Portal Payment Security
Patient self-pay portals that accept online card payments represent one of the most direct PCI risk surfaces in healthcare. Portals built on legacy technology or with inadequate payment gateway integration can inadvertently bring card data into the healthcare organisation's environment. The scope assessment for patient portals must include the underlying technology stack, hosting environment, and third-party scripts.
PCI DSS v4.0 introduces new requirements for client-side script management (Req 6.4.3) that affect all organisations with payment-enabled web pages.
Multi-Site and Multi-Entity Scope
Hospital systems, physician groups, and multi-location providers must manage PCI compliance across distributed environments — multiple practice management systems, different payment terminal vendors, various billing workflows, and potentially dozens of physical locations. A centralised compliance programme that accounts for all sites is significantly more challenging than a single-site assessment.
Multi-site healthcare organisations often underestimate CDE scope by failing to inventory payment acceptance at remote clinic and satellite locations.
How We Help
Services for Healthcare Compliance
Every healthcare engagement accounts for the dual-framework complexity and operational constraints specific to clinical environments.
PCI Readiness Assessment
We map your complete cardholder data environment across all payment acceptance channels: patient portals, in-person terminals, call centre collection, and third-party billing integrations. You receive a clear CDE boundary, SAQ classification, and current compliance posture before engaging a QSA.
Gap Analysis
Control-by-control PCI DSS v4.0 assessment with specific attention to legacy system compensating controls, call centre policy requirements, third-party vendor compliance documentation, and client-side script security for patient portals.
Remediation Support
Practical advisory through your specific remediation challenges: legacy system compensating control design, call centre payment procedure development, vendor compliance programme establishment, and segmentation architecture for multi-site environments.
Audit Preparation
Evidence pack preparation, SAQ completion review, and QSA pre-assessment walkthroughs. We ensure your documentation reflects the dual-framework nature of healthcare compliance and can answer PCI and HIPAA-specific questions confidently.
What's at Risk
Why Healthcare Organisations Can't Afford Non-Compliance
A payment data breach in healthcare carries consequences that extend beyond card brand fines into regulatory, reputational, and operational risk.
Card Brand Fines and Increased Interchange
Healthcare providers found non-compliant with PCI DSS face fines of $5,000–$100,000 per month from their acquiring bank, passed through from card brands. Non-compliant organisations may also be subject to increased interchange rates — a direct cost on every future transaction until compliance is restored.
Joint PCI and HIPAA Breach Exposure
A breach of a co-mingled system carrying both PHI and payment data triggers simultaneous OCR HIPAA breach notification requirements and PCI card brand incident response obligations. Legal exposure, notification costs, and reputational damage multiply when both datasets are compromised.
Patient Trust and Reputation
Healthcare organisations hold an elevated position of patient trust. A payment data breach in a healthcare context carries reputational harm beyond what most industries experience — patients may change providers, and media coverage of healthcare data incidents is disproportionately intense.
Losing Payment Processing Rights
In a severe non-compliance scenario, a healthcare organisation can be placed on the MATCH list (Member Alert to Control High-Risk Merchants), effectively barring them from card acceptance through any acquiring bank. For a healthcare provider whose revenue depends on patient card payments, this is an operational emergency.
Our Approach
How We Get You Audit-Ready
Discovery and Environment Mapping
We document all payment acceptance channels, integrate with your existing HIPAA risk analysis where relevant, and define the initial CDE boundary across your full provider network.
Scope Definition and SAQ Classification
We determine your correct SAQ pathway (SAQ B for terminals only, SAQ C for payment software, SAQ D for complex environments) or ROC requirement, and confirm the in-scope environment for assessment.
Gap Assessment
Control-by-control review with specific attention to legacy system risk, call centre procedures, patient portal security, and third-party vendor compliance documentation.
Compensating Control and Remediation Design
For legacy systems and other environments where direct compliance is not immediately achievable, we design and document compensating controls that satisfy QSA standards.
Audit Readiness and Evidence Package
Complete evidence compilation, SAQ or ROC response preparation, vendor attestation collection, and pre-audit walkthroughs with your compliance and IT teams.
Who This Is For
Built for Healthcare Organisations of All Sizes
Hospital Systems
Multi-site health systems managing patient payments across inpatient, outpatient, and specialist billing environments.
Physician Groups and Practices
Single and multi-location medical practices collecting co-payments, deductibles, and self-pay balances.
Dental and Specialty Providers
High-volume dental networks and specialty practices with substantial self-pay and co-pay card volumes.
Telehealth Platforms
Virtual care providers collecting card payments through patient-facing portals and payment-enabled scheduling systems.
Revenue Cycle Management Vendors
RCM service providers that handle billing and payment collection on behalf of healthcare clients — potentially subject to service provider PCI obligations.
Health Tech and Digital Health
Digital health companies with subscription billing, co-pay collection, or payment-enabled patient engagement platforms.
Compliance Requirements
Key PCI DSS Requirements for Healthcare
The PCI requirements that carry the most weight in healthcare assessments — and what they mean for clinical and administrative teams.
Network Segmentation
Patient billing systems must be segmented from clinical networks and EHR systems where possible. This is especially important in environments that co-mingle PHI and payment data.
Payment Page Script Management
New in PCI DSS v4.0: all scripts running on payment pages must be inventoried, authorised, and integrity-checked. Applies to patient portals and self-pay pages.
Identity and Access Management
MFA required for all non-console access to CDE. Service accounts for billing systems and payment integrations must be governed under least-privilege policy.
Physical Media Security
Call centre environments must have documented procedures for handling written card data and call recordings. Printed payment records must be inventoried and securely destroyed.
Policies and Procedures
Comprehensive security policies covering staff training, acceptable use, incident response, and third-party vendor management — including annual PCI compliance attestation collection from payment vendors.
Case Study
Regional Health System Achieves PCI Compliance Across 14 Locations in 5 Months
The Problem
A regional health system operating 14 outpatient clinics had never completed a formal PCI assessment. Their payment environment included three different practice management systems, a patient self-pay portal, and an internal call centre. Card payments were collected at each location using a mix of integrated and standalone terminals. One practice management system ran on Windows Server 2008 with no upgrade path until the following year's EHR migration.
What We Did
We scoped the full environment across all 14 locations, classified the health system as SAQ C (payment software on networked computers) rather than the SAQ D they had incorrectly assumed. We designed a compensating control worksheet for the legacy Windows Server 2008 instance, implemented a call centre card handling policy and DTMF suppression pilot, collected vendor attestations from all three billing vendors, and completed the full SAQ C evidence pack.
The Result
SAQ C completed and submitted within 5 months. All 14 locations documented in a single compliant programme. Legacy system compensating controls accepted by QSA reviewer. Call centre card handling procedures trained across all frontline staff. The health system now operates a rolling quarterly review programme with us, with their next annual assessment fully prepared 3 months in advance.
FAQ
Healthcare PCI Questions, Answered
Protect Your Patients and Your Organisation
Healthcare PCI compliance doesn't have to be disruptive. We work within your operational constraints to build a programme that protects payment data without interfering with patient care.