Security camera mounted on a white ceiling.

Physical Therapy PCI

by

Physical Therapy PCI

Bottom Line Up Front

Most physical therapy practices believe they’re compliant because their credit card terminal is “secure” — but if you’re storing patient payment information for recurring billing, emailing receipts with card numbers, or keeping credit card authorization forms in patient files, you’re likely non-compliant and at risk. Physical therapy PCI compliance typically maps to SAQ B for standalone terminals, SAQ C for integrated practice management systems, or SAQ A if you’ve fully outsourced payment processing to avoid storing any cardholder data.

The biggest compliance mistake in physical therapy? Treating PCI like HIPAA — they’re completely different standards with different requirements, and your HIPAA-compliant practice management system isn’t automatically PCI-compliant when it comes to payment data.

How Physical Therapy Practices Process Payments

Physical therapy practices handle payments through multiple channels that create unique compliance challenges:

Typical payment environments include standalone credit card terminals at the front desk, integrated payment modules within practice management systems like WebPT or Clinicient, recurring billing for treatment plans, and increasingly, patient portal payments for copays and deductibles. Many practices also process payments over the phone for scheduling deposits or payment plans.

Common technology stacks center around practice management systems (PMS) that integrate billing, scheduling, and clinical documentation. Popular platforms include WebPT with Stripe integration, Clinicient with integrated payments, TherapyNotes with payment processing modules, and standalone solutions like Square or Clover terminals. The integration between clinical systems and payment processing often creates unexpected PCI scope.

Where cardholder data lives — and where it absolutely shouldn’t — is critical. Card data often appears in appointment notes (“save card ending in 1234 for copays”), scanned authorization forms in patient files, email confirmations with full card numbers, Excel spreadsheets for payment tracking, and paper forms in filing cabinets. Each of these creates compliance obligations.

SAQ type mapping for physical therapy practices:

  • SAQ B: Standalone terminals with no electronic cardholder data storage (most single-location practices)
  • SAQ B-IP: Standalone terminals with IP connectivity but no electronic storage
  • SAQ C: Integrated PMS with payment processing (common for multi-location practices)
  • SAQ A: Fully outsourced payment processing with no direct card handling
  • SAQ D: Any electronic storage of cardholder data (avoid this complexity if possible)

Industry-Specific Compliance Challenges

Physical therapy practices face unique PCI compliance challenges that stem from healthcare operations and patient care requirements.

HIPAA creates false confidence about data security. Your HIPAA-compliant systems protect patient health information, but PCI DSS has completely different technical requirements. That encrypted patient database? It might not meet PCI encryption standards. Your HIPAA access controls? They likely don’t satisfy PCI’s technical authentication requirements.

Paper-based workflows persist in many practices. Patient intake forms with credit card fields, insurance verification documents with payment information, and handwritten payment plans all create PCI scope. Unlike electronic systems, you can’t simply “patch” a filing cabinet — you need physical security controls and documented destruction procedures.

Recurring billing complexity makes scope reduction challenging. Treatment plans often span months with regular copays, creating legitimate business needs to store payment information. But storing card data for convenience transforms your simple SAQ B environment into a complex SAQ D assessment with 300+ requirements.

Multiple locations multiply complexity. Each clinic location with its own terminal or payment process potentially creates additional PCI scope. Centralized billing offices processing payments for multiple locations need network segmentation to prevent one compromised location from affecting the entire practice.

High staff turnover in administrative positions means constant retraining on payment security. Your compliance depends on every staff member who touches payment data understanding and following procedures — from front desk coordinators to billing specialists to therapists collecting copays.

Your Compliance Roadmap

Getting your physical therapy practice PCI compliant doesn’t require an IT overhaul — it requires understanding your current payment environment and making strategic decisions about scope reduction.

Step 1: Determine your merchant level and SAQ type. Contact your payment processor for your annual transaction volume to identify your merchant level (most practices are Level 4). Use your processor’s questionnaire or PCICompliance.com’s SAQ Wizard to identify your correct self-assessment form based on how you actually process payments, not how you think you should.

Step 2: Map your cardholder data flow. Document every point where card data enters your practice: front desk terminals, phone payments, patient portal, recurring billing systems, and paper forms. Follow the data through your systems — where it’s displayed, stored, transmitted, and ultimately destroyed. This exercise alone often reveals non-compliant practices you didn’t know existed.

Step 3: Identify scope reduction opportunities. Every system that touches cardholder data becomes part of your CDE. Look for ways to isolate payment processing from clinical systems through network segmentation, P2PE terminals that encrypt at the swipe, tokenization for recurring billing, and hosted payment pages for patient portals.

Step 4: Implement required controls. Based on your SAQ type, implement the specific requirements. For most practices, this means configuring firewalls, updating default passwords, restricting access to payment systems, enabling logging, and implementing security policies. Don’t try to implement SAQ D requirements if you can qualify for a simpler form through scope reduction.

Step 5: Complete your SAQ and schedule ASV scans. Work through your self-assessment questionnaire honestly — “compensating controls” for requirements you can’t meet need formal documentation. If your SAQ requires quarterly ASV scanning, ensure scans cover all internet-facing systems that connect to payment processing.

Step 6: Submit your AOC and maintain compliance year-round. File your Attestation of Compliance with your payment processor by their deadline. Calendar quarterly tasks like ASV scans, firewall reviews, and security update deployments. Annual compliance is just verification — actual security requires continuous attention.

Timeline and budget expectations: Single-location practices with standalone terminals can achieve compliance in 4-6 weeks for under $1,000. Multi-location practices with integrated systems typically need 3-6 months and $5,000-$15,000 for technology upgrades and assessment costs. The largest expense is usually replacing non-compliant PMS integrations or implementing tokenization.

Scope Reduction for Physical Therapy Practices

The secret to manageable PCI compliance in physical therapy is reducing scope — not trying to secure every system that might touch payment data.

P2PE terminals offer the most dramatic scope reduction. Validated Point-to-Point Encryption solutions like First Data TransArmor or Ingenico’s P2PE devices encrypt card data at the moment of swipe or dip. Your practice never sees unencrypted card numbers, reducing your compliance scope to just the physical terminal security. For most practices, this transforms a complex SAQ C or D into a simple SAQ P2PE with only 33 requirements.

Tokenization for recurring billing solves the treatment plan problem. Instead of storing card numbers for monthly copays, tokenization replaces sensitive data with non-sensitive tokens. Services like Stripe, Square, or integrated solutions from your PMS vendor store the actual card data in their PCI-compliant environment while you store only meaningless tokens.

Hosted payment pages eliminate patient portal complexity. Instead of accepting card data through your portal, redirect patients to your processor’s hosted payment page. The payment happens on their PCI-compliant infrastructure, and you receive only a confirmation and token for future use. This approach keeps your entire patient portal out of PCI scope.

Virtual terminals replace phone payments. Rather than verbally collecting card numbers over the phone (which makes your entire phone system part of PCI scope), use virtual terminal solutions where patients can enter their own card data while on the phone with your staff. Solutions like Cardpointe or Payment Express IVR remove your staff and phone systems from the payment process.

Cost-benefit analysis typically favors scope reduction. Implementing SAQ D controls for a practice management system can cost $20,000-$50,000 in technology and consulting fees. Replacing that integrated payment module with tokenization or P2PE usually costs under $5,000 and reduces your ongoing compliance burden by 90%.

Best Practices From Compliant Physical Therapy Practices

The most successfully compliant practices share common approaches that balance security requirements with operational efficiency.

Leading practices eliminate paper payment forms entirely. They use tablet-based intake systems with integrated P2PE card readers for walk-in payments. Recurring billing authorizations happen through secure patient portals with tokenization. When paper is absolutely necessary, they implement same-day scanning and shredding procedures with documented destruction logs.

Staff training goes beyond annual checkbox exercises. Compliant practices run monthly five-minute refreshers during team meetings, focusing on one specific scenario: “What do you do when a patient wants to give you their card number over the phone?” Real scenarios stick better than abstract security principles.

Technology standardization across locations reduces complexity and cost. Rather than letting each clinic choose its own payment solution, successful multi-location practices standardize on a single P2PE terminal model, one virtual terminal solution, and consistent network configurations. This simplifies compliance documentation and staff training.

Clear separation between clinical and payment systems is non-negotiable. The best-run practices segment their networks so a breach in the clinical documentation system can’t reach payment processing. They use separate computers for payment processing when full network segmentation isn’t feasible.

Regular payment security audits catch scope creep before annual assessments. Quarterly reviews of new workflows, system changes, and staff procedures prevent the “surprise non-compliance” that happens when practices drift from their documented procedures.

FAQ

Our practice management system stores credit cards for recurring billing. What SAQ do we need?

If your PMS stores cardholder data electronically, you’ll need SAQ D for Merchants unless the vendor provides a validated P2PE or tokenization solution. Many practices avoid this by using the PMS for scheduling and clinical notes while processing payments through a separate, tokenized solution that only passes non-sensitive tokens to the PMS.

Do we need PCI compliance if we only accept insurance payments, not patient cards?

No, PCI compliance only applies when you accept payment cards directly from patients. However, most practices accept credit cards for copays, deductibles, or cash-pay patients, which triggers PCI requirements regardless of your insurance billing volume.

Can we keep credit card authorization forms for patients on recurring payment plans?

Physical forms with cardholder data must be stored in locked cabinets with documented access controls, and destroyed according to retention policies. Better practice: use electronic authorization with tokenization, eliminating the need to store any cardholder data while maintaining payment convenience.

How does HIPAA compliance relate to PCI compliance for payment data?

HIPAA and PCI DSS are separate standards with different requirements. HIPAA-compliant systems aren’t automatically PCI-compliant — you need specific technical controls like network segmentation, quarterly vulnerability scanning, and PCI-approved encryption methods that go beyond HIPAA requirements.

What if patients email us their credit card information?

Train staff to immediately delete emails containing cardholder data and contact the patient through secure channels. Implement email filtering rules to flag potential card numbers. Document this as a policy and include it in your incident response procedures for inadvertent card data receipt.

Do small practices really get fined for PCI non-compliance?

While headline-grabbing fines typically hit large breaches, non-compliant practices face monthly non-compliance fees from their processor ($20-$100/month), increased transaction rates, and potential loss of payment processing privileges. The real risk is liability for fraud losses if your non-compliance enables a breach.

Conclusion

Physical therapy PCI compliance doesn’t have to overwhelm your practice operations. The key is understanding that your HIPAA compliance provides a foundation but doesn’t address payment-specific security requirements. By mapping where cardholder data flows through your practice — from front-desk terminals to recurring billing systems — you can make strategic decisions about scope reduction that simplify compliance while improving payment security.

Most physical therapy practices can achieve compliance through a combination of P2PE terminals for in-person payments, tokenization for recurring billing, and clear policies for handling payment data. The investment in proper payment technology typically pays for itself through reduced compliance costs and eliminated monthly non-compliance fees.

PCICompliance.com gives you everything you need to achieve and maintain PCI compliance — our free SAQ Wizard identifies exactly which questionnaire you need based on your actual payment environment, our ASV scanning service handles your quarterly vulnerability scans with healthcare-friendly scheduling, and our compliance dashboard tracks your progress year-round. Start with the free SAQ Wizard to understand your requirements or talk to our compliance team about the specific challenges of healthcare payment processing. We’ve helped thousands of healthcare providers navigate PCI compliance while maintaining focus on patient care.

Leave a Comment

icon 1,650 PCI scans performed this month
check icon Business in Austin, TX completed their PCI SAQ A-EP