top of page
Search

PCI Compliance for Mental Health Practices: What It Is and How to Stay Compliant for Free

ree

What Is PCI Compliance and Why It Matters for Your Practice

If you accept credit or debit card payments — whether for therapy sessions, copays, or supervision fees — you’re part of the Payment Card Industry (PCI) ecosystem.

PCI compliance means following the Payment Card Industry Data Security Standard (PCI DSS) — a set of security requirements designed to protect cardholder data and reduce fraud. These standards apply to everyone who stores, processes, or transmits card information, including small healthcare practices.


The goal of PCI DSS is simple: make sure patient payment data stays safe.

But here’s the key point — if you use a secure, third-party payment processor (like QuickBooks Payments, Stripe, Square, or the built-in payment tool in your EHR or Wix website), you are not the one handling the card data directly. That makes your compliance responsibilities much smaller — and much simpler.


Why You Might Suddenly Be Asked to Pay a PCI “Compliance Fee”

If you’ve ever received an email or invoice saying you must “complete your PCI compliance assessment” — or worse, pay a vendor like SecurityMetrics or SecureTrust to do it for you — you’re not alone.

Many clinicians using QuickBooks, TherapyNotes, SimplePractice, or other platforms have received these notices. They often look official, with language like:

“Your account will be charged $99 for PCI compliance services unless you complete your assessment.”

So what’s happening?


In most cases, your payment processor (e.g., QuickBooks) has outsourced PCI compliance management to a third-party company. These vendors run online “compliance portals” where merchants answer a questionnaire (the Self-Assessment Questionnaire, or SAQ) and sometimes perform security scans.


That convenience comes with a price tag — usually $99–$200 per year — billed as a PCI compliance program fee.

But here’s the truth:

You are not required by law or PCI DSS to pay those vendors.The SAQ itself is 100% free.

Understanding the SAQ (Self-Assessment Questionnaire)

The SAQ is a short form that helps you confirm your compliance with PCI DSS. There are several types of SAQs depending on how your business handles payments.

Most mental health practices fall under SAQ-A — the simplest version. You qualify for SAQ-A if:

  • You use a third-party processor like QuickBooks, Stripe, Square, or your EHR’s built-in payment feature.

  • You do not store, process, or transmit credit card numbers yourself.

  • All payment data entry happens on the provider’s secure, hosted page (not on your own website).

✅ In plain terms :If your clients enter their payment details directly on a QuickBooks, Stripe, or Wix checkout page, you’re already meeting the requirements that matter most.

You just need to document it.


How to Complete PCI Compliance for Free

Here’s how to stay compliant without paying anyone extra:

  1. Download the Free SAQ-A Form

    Get it directly from the PCI Security Standards Council website here:👉 PCI DSS v4.0 SAQ-A (Official PDF)

  2. Fill Out the Short Questionnaire

    It asks simple yes/no questions confirming that:

    • You use a PCI-compliant vendor to process cards.

    • You don’t store or transmit card data.

    • You keep your own systems secure (passwords, device protection, etc.).

  3. Keep a Copy in Your Records

    Save the signed document in your compliance binder or EHR compliance folder. You don’t need to send it anywhere unless your processor specifically requests it.

  4. If QuickBooks or SecureMetrics Contacts You

    You can respond with something like:

    “Our practice uses QuickBooks Payments, a PCI Level 1 validated processor. We qualify for SAQ-A and will self-attest directly without using a paid third-party portal.”

  5. Optional: Request QuickBooks’ Attestation of Compliance (AoC)

    This document proves QuickBooks is PCI certified — which covers the part of the process where credit card data is actually handled.


What If Your Processor Says You Must Pay a Third-Party Vendor?

Some processors automatically enroll you in their vendor’s PCI portal, often without your consent. If that happens, you have the right to push back.

You can politely (but firmly) say:

“We understand that PCI DSS requires completion of the applicable SAQ, but not payment to a specific vendor. Our practice will complete SAQ-A independently and provide documentation as needed.”

There is no PCI rule that forces small healthcare practices to pay a fee for validation through a vendor portal. That fee exists for the convenience of the processor — not because PCI requires it.


Common Myths About PCI in Mental Health Settings

Myth

Reality

“I have to pay a vendor to be PCI compliant.”

❌ False. You can self-attest for free using the official PCI DSS SAQ.

“I don’t need to worry about PCI at all since I use QuickBooks.”

⚠️ Partly false. You still must document compliance (SAQ-A), but your responsibility is minimal.

“If I use Stripe or Wix, I’m automatically covered.”

✅ Mostly true — if payments happen entirely on their hosted checkout pages, you qualify for SAQ-A.

“HIPAA covers payment data.”

❌ False. HIPAA and PCI are separate. PCI covers financial data; HIPAA covers health data.

How to Know If You’re Already Covered

You’re likely already compliant if:

  • You never type or see a client’s full credit card number.

  • Clients enter their information through a secure processor (QuickBooks, Stripe, Square, Tebra, CharmEHR, etc.).

  • You don’t store payment info in emails, notes, or spreadsheets.

  • You use secure, encrypted devices and passwords to access your billing platforms.

If this describes you — congratulations — you’re in the clear! Just complete your SAQ-A, keep it on file, and you’re done.


Why This Matters for Clinicians

Small therapy and psychiatry practices are already juggling HIPAA, OSHA, CMS, and insurance regulations. The last thing you need is another surprise “compliance” fee that isn’t actually required.

Knowing your rights under PCI DSS helps you:

  • Avoid unnecessary annual fees.

  • Prevent duplicate compliance work.

  • Protect your business and patients’ payment data.

  • Stay confidently compliant with industry standards — for free.


Final Thoughts

PCI compliance doesn’t have to be intimidating or expensive. If you’re using QuickBooks, Stripe, Square, or your EHR’s built-in payment processor, you’re already halfway there.

Don’t let third-party vendors convince you that compliance requires an extra bill. Download the free SAQ-A, fill it out once a year, and keep it on file — that’s all most mental health practices need to stay compliant.


Did you find this article helpful? Consider sharing it with a colleague!

 
 
 

© 2025 DNP Consulting, LLC

DNP Consulting is a Healthcare Management Services Organization (MSO). None of the information contained here constitutes legal, accounting, or medical advice. The information presented is informational and intended to serve as a reference for interested parties and not to be relied upon as authoritative. Your personal legal and financial counsel or healthcare providers should be consulted as appropriate. 

  

All content found on this website was created for informational purposes only.  The content is not intended to be a substitute for professional medical and/or legal advice.  Always seek the advice of your medical provider with any questions you may have regarding a medical condition. Never disregard professional medical advice or delay in seeking treatment because of something you have read on this website or any website. DNP Consulting, LLC, their respective staff, employees, contractors, or owners do not personally recommend or endorse any specific tests, physicians, products, procedures, opinions, or other information that may be mentioned on this website and related forums. Reliance on any information provided by this website, employees, contractors, or medical professionals presenting content for publication is solely at your own risk.

bottom of page