Page History: iHealthSpot BillPay (formerly ezNetPay) and PCI-DSS Compliance

Compare Page Revisions



« Older Revision - Back to Page History - Newer Revision »


Page Revision: 2012/10/18 14:58


ezNetPay is iHealthSpot's unique and revolutionary service which allows healthcare providers to collect payment information securely from their patients via their website using credit cards. In providing this service, iHealthSpot takes great care to meet industry standards in terms of security and privacy. This page discusses these standards and provides information about how iHealthSpot complies with them.

Please contact us if you have any questions related to ezNetPay and/or our security practices.

What is PCI-DSS?

The Payment Card Industry (PCI) Data Security Standard (DSS) represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information related to customer credit cards and other private sensitive information relating to customer accounts. The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. The standard is created and managed by the PCI Security Standards Council.

How does iHealthSpot participate in PCI-DSS?

iHealthSpot, Inc. adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In doing so, we strive to ensure that all customers' payment card data is being kept safe throughout every transaction, and that patients and practices can have confidence that they're protected against the pain and cost of data breaches.

For iHealthSpot, adhering to the PCI DSS is not a single event, but a continuous, ongoing process. First, we continually assess and identify cardholder data, taking an inventory of all our IT assets and business processes for payment card processing, and we analyze them for vulnerabilities that could expose cardholder information. Second, we remediate and fix any possible vulnerabilities and we never store cardholder data after a transaction has been processed. Third, we compile and submit compliance reports to all our clients and the acquiring banks and card brands you do business with.

When was iHealthSpot's last compliance report and how was it generated?

The last compliance report was generated from a certified scan on 10-6-2012 and certified by our Approved Scanning Vendor, Qualys, on 10-18-12. This scan is valid until 01-06-13.

iHealthSpot operates limited servers for processing payments. The IP addresses are stated in the report. The Executive Summary of the scan is available here.

For more information about Qualys and the services they provide for PCI Compliance, visit their website.

What card data does iHealthSpot collect and store?

iHealthSpot collects credit the card number, expiration date, card code and billing address at the time a patient "pays their bill". This information is used instantly and immediately to get a payment authorization from the gateway and card processor. Once iHealthSpot receives the payment authorization (which happens within seconds of submitting a payment), iHealthSpot discards the credit card number (except the last four digits) and the card code. iHealthSpot does retain the expiration date, billing address and other patient information needed to properly identify to the healthcare provider what the nature of the payment was about and who it was for. By the time a patient sees their online receipt of payment, iHealthSpot has already purged all card data from it's systems!



ScrewTurn Wiki version 2.0.36. Some of the icons created by FamFamFam.