iHealthSpot BillPay is iHealthSpot's unique and revolutionary service which allows healthcare providers to collect payment information securely from their patients via their website using credit cards. In providing this service, iHealthSpot takes great care to meet industry standards in terms of security and privacy. This page discusses these standards and provides information about how iHealthSpot complies with them.

Note, iHealthSpot BillPay is formerly known as ezNetPay. Any references to ezNetPay can be assumed to apply to iHealthSpot BillPay.

Please contact us if you have any questions related to iHealthSpot BillPay and/or our security practices.


What is PCI-DSS?

The Payment Card Industry (PCI) Data Security Standard (DSS) represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information related to customer credit cards and other private sensitive information relating to customer accounts. The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. The standard is created and managed by the PCI Security Standards Council.


How does iHealthSpot participate in PCI-DSS?

iHealthSpot, Inc. adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In doing so, we strive to ensure that all customers' payment card data is being kept safe throughout every transaction, and that patients and practices can have confidence that they're protected against the pain and cost of data breaches.

For iHealthSpot, adhering to the PCI DSS is not a single event, but a continuous, ongoing process. First, we continually assess and identify cardholder data, taking an inventory of all our IT assets and business processes for payment card processing, and we analyze them for vulnerabilities that could expose cardholder information. Second, we remediate and fix any possible vulnerabilities and we never store cardholder data after a transaction has been processed. Third, we compile and submit compliance reports to all our clients and the acquiring banks and card brands you do business with.

Furthermore, iHealthSpot works in tandem with Payment Services Providers to provide an end to end solution. Some of our payment providers include: Authorize.net, FirstData, PayPal and PayPros.


When was iHealthSpot's last PCI compliance report and how was it generated?

The last PCI compliance report was generated from a certified scan on 07-14-2020 and certified by our Approved Scanning Vendor, Qualys, on 07-14-2020. This scan is valid until 09-14-2020.


In addition, automatic scans are performed and reviewed every 3 weeks, alerting us to any new issues and ensuring continued compliance.

iHealthSpot operates limited servers for processing payments. Page 1 of the Executive Summary of the scan is available here.

For more information about Qualys and the services they provide for PCI Compliance, visit their website.


How does iHealthSpot protect the information I see and provide to BillPay and Patient Portals?

iHealthSpot uses industry standard SSL communications between your web browser and our servers.

You can verify the status of the iHealthSpot SSL services here:

Patient Portals


What card data does iHealthSpot collect and store?

For a short amount of time only, iHealthSpot collects credit the card number, expiration date, card code and billing address. This information is held while a patient "pays their bill". This information is used instantly and immediately to get a payment authorization from the gateway and card processor. Once iHealthSpot receives the payment authorization (which happens within seconds of submitting a payment), iHealthSpot discards the credit card number (except the last four digits), the card code and the expiration date. iHealthSpot does retain the billing address and other patient information needed to properly identify to the healthcare provider what the nature of the payment was about and who it was for. By the time a patient sees their online receipt of payment, iHealthSpot has already purged all card data from its systems!

ScrewTurn Wiki version 2.0.36. Some of the icons created by FamFamFam.