Scope reduction from SAQ-D to SAQ-A via hosted fields and tokenization — the difference between a 12-month, $40K compliance program and a 90-minute self-assessment.
What PCI scope does a healthcare practice actually inherit?
Any practice that touches card data — even a receptionist typing it into a virtual terminal — is in PCI scope. Untokenized environments require SAQ-D: 329 controls, quarterly ASV scans, annual penetration testing. Tokenized environments using hosted fields drop to SAQ-A: 22 controls and a self-assessment.
How do hosted fields reduce scope?
Hosted fields render card-capture inputs from our PCI-validated domain inside an iframe on your page. Card data goes directly from the patient's browser to our vault — it never traverses your server, your PMS, or your network. Your scope shrinks to the page that hosts the iframe.
What about terminals?
EMV chip + contactless terminals connect to our gateway over P2PE-encrypted channels, keeping the practice at SAQ-B-IP (8 controls). The terminal itself is the PCI boundary.
How is PCI different from HIPAA scope?
PCI covers cardholder data; HIPAA covers PHI. Both apply to your practice and both require segregation. HIPAA-compliant processing with PCI scope reduction is the only configuration that satisfies both regimes without duplicate controls.
Frequently asked questions
How fast can you get approved?
Most healthcare practices are approved within 24 hours of complete application submission. Specialty MIDs (dental DSO, behavioral health groups, DME) may take 48–72 hours while underwriting reviews trailing statements and licensure.
What does it cost?
Interchange-plus pricing — typically 2.4% + $0.10 per card transaction with no setup fee and no monthly minimum. ACH is 0.5–1.0%. You see interchange cost, assessments, and our markup on a single itemized statement.
Is the platform HIPAA-compliant?
Yes. We sign a BAA, tokenize all card and bank data before it touches your systems, and segregate PHI from payment metadata. EHR / PMS integrations move only the minimum necessary data for posting.