PCI Requirements
With the launch of Hint Payments, it’s a good time to share guidance on how to stay compliant with the Payment Card Industry Data Security Standard (PCI DSS).
Hint’s PCI Compliance
Hint Payments is a fully Level 1 PCI DSS compliant solution, which means we meet the highest standard for securely storing, processing, and transmitting cardholder data. By using Hint Payments, the most complex parts of PCI compliance are outsourced from your business.
That said, every merchant is still responsible for maintaining their own PCI compliance. For most Hint customers, this is a simple process that requires only a short self-assessment.
Do I Need to Validate My PCI Compliance?
All merchants are required to comply with PCI DSS, but not all are required to formally submit proof of validation.
In most cases, Hint customers only need to complete a Self-Assessment Questionnaire (SAQ) to confirm their compliance.
Hint will notify you if your situation requires additional validation or submission.
Even when not required, completing an SAQ is considered best practice—it helps demonstrate compliance and reduces potential risk.
Understanding the PCI Self-Assessment Questionnaire (SAQ)
The SAQ is a standardized questionnaire that merchants complete in-house to evaluate their security measures. It serves as documentation of PCI compliance for the vast majority of Hint customers.
There are different types of SAQs, each tailored to a merchant’s payment setup. To help you determine which SAQ applies to your business, review the table below:
When… | You should… |
Your customers (patients or employers) enter payment information into Hint themselves. (very common) | Complete SAQ-A (22 questions) |
Your staff enter card data into Hint via dedicated, secure computer terminals. (common) | Complete SAQ-C VT (47 questions) |
You use a Card Present terminal device to capture card information. (less common) | Complete SAQ-B IP (30 questions) |
You’ve built your own payment capture page and send encrypted payment tokens via Hint’s API. (unusual) | Complete SAQ-A EP (41 questions) |
You electronically store, process, or handle credit card data directly. Alternatively, you have PCI use cases outside of those covered above. (rare → consult a PCI Qualified Security Assessor) | Complete SAQ-D (330+ questions) (consult a PCI Qualified Security Assessor first)
|
⚠️ Note: Missing or incorrect SAQs can increase your organization’s risk profile with processors and card networks, which may lead to additional scrutiny or costs. Completing the correct SAQ helps you maintain favorable processing terms and demonstrate strong security practices.
Getting Support
If you’re unsure which SAQ applies to your business, you can:
Review the Responsibility Matrix we’ve provided alongside the SAQ table.
Consult with a PCI Qualified Security Assessor (QSA) for professional guidance.
Pre-Filled SAQ-A for Hint Payments
To make compliance even easier, Hint has prepared a pre-filled SAQ-A for customers using Hint Payments that will streamline the process for most of you. We’ve highlighted areas for you to complete and left comments to guide you through the form. Click here to make a copy of the SAQ-A to complete.
PCI Best Practices
For All Customers (Baseline – SAQ A)
Account & Access Security
Enable MFA on all services you use (e.g. Hint, email, EHR, scheduling, file sharing). Prefer app-based MFA over SMS.
Use strong, unique passwords (≥12 characters).
No shared accounts — each staff member should have their own login.
Enable account security alerts for email:
Gmail/Google Workspace: alerts for new logins, password changes, suspicious attempts.
Microsoft 365/Outlook: unusual sign-ins, password resets.
Apple ID/iCloud: sign-in and password change alerts (default on with MFA).
Technology Hygiene
Keep devices updated: Windows auto-updates; on Macs/iPhones/Android, turn on automatic updates.
Browsers: Use Chrome, Edge, or Firefox (auto-update by default).
Enable firewalls: Windows and routers are default on; macOS must be turned on manually (Apple guide).
Antivirus: Windows Defender (already built-in and enabled by default), Avast Free for Mac.
Network & Router Security
Change default router admin password.
Keep router firmware updated (ISP often does this; if not, check once or twice a year).
Wi-Fi: Use WPA2/WPA3 with a strong password; don’t share staff Wi-Fi with patients — use a guest network if needed.
Staff Training & Policies
Never write down or store credit card numbers.
Lock devices when unattended.
Don’t install unapproved software on work devices.
Recognize phishing emails/texts.
Review training and security policy annually.
Data Handling & Media
If PAN is ever written down by mistake: shred immediately.
Before donating/recycling computers or phones: factory reset/wipe.
Physical Security
Keep offices/workstations locked when unattended.
Restrict access to payment devices to staff only.
Vendors
If using other payment vendors, confirm they support PCI.
Your Staff Enter Patient Card Data to Hint (SAQ C-VT) – add to baseline
Only enter cards directly into Hint.
Never copy/store card info elsewhere.
Use business-only computers with firewall + antivirus enabled.
Point-of-Sale Devices (SAQ B-IP) – add to baseline
Physically secure POS devices, inspect regularly for tampering.
Use it on your office router, not public Wi-Fi.
If possible, segment POS devices on their own VLAN.
Building your own Payment Page via API (SAQ A-EP) – add to baseline
Keep website/CMS and plugins updated.
Require MFA and strong passwords for website admins.
Always serve site over HTTPS with valid SSL certificate.
Use hosting that provides malware/security scanning.
As You Scale (For Larger Practices)
If your group is growing (e.g. >10 staff or multiple locations), consider:
Single Sign-On (SSO): Centralized login across Hint, email, EHR, and other apps — simplifies onboarding/offboarding and enforces MFA.
Centralized Device Management (MDM/Endpoint Protection): Tools like Microsoft Intune, Jamf, or JumpCloud to enforce updates, encryption, and lock/wipe devices remotely.
Documented Security Program: Formalize an annual review of policies, risk assessment, and staff training. This scales better than ad hoc reminders.
Control Area | Everyone (A) | Phone/VT (C-VT) | POS Device (B-IP) | API/Embed (A-EP) |
MFA + strong passwords | ✅ | ✅ | ✅ | ✅ |
Enable account security alerts | ✅ | ✅ | ✅ | ✅ |
Keep devices updated (OS/apps) | ✅ | ✅ | ✅ | ✅ |
Change router admin login | ✅ | ✅ | ✅ | ✅ |
Keep router firmware updated | ✅ | ✅ | ✅ | ✅ |
Wi-Fi encryption + guest net | ✅ | ✅ | ✅ | ✅ |
Firewalls + antivirus | ✅ | ✅ | ✅ | ✅ |
No writing/storing PAN | ✅ | ✅ | ✅ | ✅ |
Shred/wipe if accidental PAN | ✅ | ✅ | ✅ | ✅ |
Staff training (annual) | ✅ | ✅ | ✅ | ✅ |
Lock offices/devices | ✅ | ✅ | ✅ | ✅ |
Confirm vendor PCI compliance | ✅ | ✅ | ✅ | ✅ |
Device tamper checks | — | — | ✅ | — |
Network segmentation (POS) | — | — | ✅ | — |
Website hardening | — | — | — | ✅ |
SSL/TLS required | — | — | — | ✅ |
Please see the Payment Card Industry Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance