Healthcare

PCI compliance for healthcare

Take patient payment data out of PCI scope. A European PCI DSS Level 1 vault for providers, clinics and health-tech — tokenized cards for online, phone and recurring billing, with EU data residency.

Talk to us How tokenization works

SAQ A

Typical PCI scope after tokenization

Phone

MOTO payments out of scope

Recurring

Treatment plans & memberships

100% EU

Card data residency

The challenge

Healthcare handles cards across many touchpoints

Online booking, reception desks, phone payments, billing and treatment plans all touch card data — alongside some of the most sensitive personal data there is.

Many payment points

Web, reception, phone and billing systems each handle cards, multiplying what falls into PCI scope.

Sensitive data alongside cards

Card data sits next to health information, raising the stakes of any breach and the need to minimise scope.

Phone & reception payments

Staff often take cards by phone or at the desk, which can pull people and systems into scope.

Recurring & instalments

Treatment plans, memberships and instalments need a card you can charge again without storing the PAN.

Audit burden

Providers have limited security resources, so a full SAQ D programme is a heavy, ongoing cost.

EU data residency

Patients and regulators expect card and personal data to stay in the EU under GDPR.

The solution

Systems that never see a card number

Hosted fields & SDKs

Card inputs send data straight to the vault and return a token — secure online and in-app payments with no PAN on your servers.

Phone & reception payments

MOTO capture sends the card straight to the vault without displaying or storing it, keeping phone and desk payments out of scope.

Recurring billing

Charge stored tokens for treatment plans, memberships and instalments, with no card data in your billing system.

EU custody

Card data is stored only in European data centres under PCI DSS Level 1, with GDPR-aligned residency.

PCI DSS compliance, explained Phone & MOTO payments

FAQ

Healthcare payments, answered

01 How does tokenization keep a healthcare provider PCI compliant?

Patient card details are captured in hosted fields or by phone and sent straight to a PCI DSS Level 1 vault, which returns a token. Your booking systems, patient records and billing tools only ever hold tokens, so cardholder data never touches your environment and most providers qualify for SAQ A.

02 Can we take payments over the phone for appointments?

Yes. Agents can capture cards through a MOTO flow where the number is sent directly to the vault and never displayed or stored, so phone and reception payments stay out of PCI scope while remaining easy for staff.

03 Does it support recurring and instalment billing?

Yes. A token represents a stored card you can charge again for treatment plans, memberships and instalments — without holding the real card number in your systems.

04 Is patient card data kept in the EU?

Yes. PCI Proxy stores card data only in European data centres with GDPR-aligned residency — important for healthcare providers handling sensitive data and regional data-protection rules.

Take patient payments out of PCI scope

Tell us about your booking, billing and phone flows, and we'll map a tokenization setup that keeps you on SAQ A.

Talk to us More use cases