Insurance companies and private healthcare facilities manage card payments on an ongoing basis: insurance premiums, copayments, fee-for-service, reimbursements. Yet PCI DSS insurance payments and PCI DSS healthcare payments are frequently ignored or addressed late, because these organisations do not identify themselves as "payment operators." The result is a risk exposure that combines PCI vulnerabilities and GDPR obligations on health data.
Insurance companies and PCI DSS: where the risks hide
An insurance company that accepts premium payments via credit or debit card is subject to PCI DSS from the moment the first PAN passes through its systems. The critical points are numerous: web portals for online premium payments, call centres where operators collect card data by phone, recurring charge systems for monthly or annual premiums, and refund processes that require returning value to a card.
A specific risk in the insurance sector concerns recurring-premium policies. If the company retains the customer's card data to charge the premium every month, it is responsible for the security of that data for the entire duration of the contract, which can last years. This creates a long-term CDE that must be certified annually against PCI DSS requirements, with a significant compliance cost if the infrastructure is managed internally.
Healthcare and card payments: CDE in clinical management systems
Private clinics, diagnostic centres and medical practices that accept card payments find themselves in a particularly delicate situation. Their health information systems (HIS, Hospital Information System) and clinical management software are not designed to comply with PCI DSS: they are built to manage medical records, appointments and reports, not to protect card data according to the requirements of a payment security standard.
The result is that many private healthcare facilities store card data in unencrypted databases, in booking system logs, or in payment confirmation emails. Each uncontrolled accumulation point constitutes a PCI risk and, when patient data overlaps with payment data, also a special-category GDPR risk (health data). In the event of a breach, penalties from both frameworks can accumulate.
How tokenization simplifies compliance in these sectors
The most effective strategy for insurers and healthcare facilities is to physically separate payment data from operational and health data. With PCI Proxy EU, card data is collected once via a secure form or SDK, converted into a token and stored in the external vault. The clinical management system or insurance company's administration system works only with the token for recurring charges, without ever accessing the PAN.
This separation has a direct effect on the PCI perimeter: the HIS or insurance management system does not enter the CDE because it never handles card data in cleartext. The facility can complete an SAQ A instead of a full audit, with significant time and cost savings. On the GDPR front, separating payment data from health data reduces the risk of breaches involving special categories of data.
Frequently asked questions
Is a private clinic that accepts cards subject to PCI DSS?
Yes, without exceptions. PCI DSS applies to any organisation that accepts, transmits or stores card data, regardless of the sector of activity. A private clinic that accepts card payments for services is a PCI merchant in every respect and must comply with the requirements applicable to its transaction level.
Are health information systems (HIS) in PCI scope?
It depends on how they are configured. If the HIS receives or stores card data (for example, card data used to pay for a service), it enters the CDE and is in PCI scope. If instead payment occurs via a separate system that shares no data with the HIS, the HIS can be out of scope. The cleanest solution is to use a tokenization system that prevents card data from entering the HIS.
How does PCI compliance integrate with GDPR for health data?
Health data is a special category under GDPR (art. 9) and requires additional protective measures. When health data and card data coexist in the same system, any breach can trigger penalties from both frameworks. Separating payment data via tokenization reduces the perimeter of both frameworks and simplifies overall risk management.
Want to separate payment data from health and insurance systems without disrupting operations? Discover PCI Proxy EU.