Effective Date: 11.11.2024

1. Purpose

This document establishes the comprehensive Payment Card Industry Data Security Standard (PCI DSS) Compliance Policy for OneMed Billing, hereinafter referred to as "the Company." This policy is designed to ensure that the Company maintains the highest standards of payment data security in all jurisdictions where it operates, including the United States, United Kingdom, and India. The policy ensures that all credit card transactions are processed in full compliance with applicable PCI DSS requirements, safeguarding sensitive client payment data against unauthorized access, fraud, and data breaches.

2. Scope

This policy applies to all Company employees, contractors, consultants, third-party vendors, and any other personnel engaged in the processing or facilitation of payment transactions on behalf of OneMed Billing. It specifically governs all activities related to the acceptance of credit card payments from healthcare providers (clients) for billing services rendered, including interactions with third-party payment service providers.

3. Compliance Statement

The Company operates as a service provider and does not directly collect, process, or store cardholder data on internal infrastructure. All payment transactions are securely handled via PCI DSS Level 1 certified third-party payment processors, specifically Stripe and Payoneer. The Company’s internal systems are intentionally designed to remain outside the scope of direct cardholder data handling, reducing security risks and maintaining strict compliance with global payment security regulations.

4. Policy Requirements

4.1 Use of Certified Payment Processors

All client credit card payments must be processed exclusively through PCI DSS Level 1 compliant third-party providers.

Payment links, hosted payment pages, and payment gateways utilized by the Company are subject to rigorous and ongoing verification of PCI DSS compliance by obtaining up-to-date compliance certificates from the payment providers.

4.2 No Storage or Transmission of Cardholder Data

The Company unequivocally prohibits the storage, processing, or transmission of cardholder data on any internal servers, systems, or networks.

All payment activities are facilitated through secure, encrypted, and externally hosted payment channels, guaranteeing that the Company’s operations remain within the most restricted PCI DSS compliance scope, under SAQ A classification.

4.3 Annual Self-Assessment Questionnaire (SAQA) Compliance

The Company conducts and completes the PCI DSS Self-Assessment Questionnaire A (SAQ A) on an annual basis with the highest level of diligence.

A formal Attestation of Compliance (AOC) is prepared, signed, and retained on file, readily available for clients, partners, and regulatory authorities upon legitimate request.

4.4 Mandatory Employee Training and Awareness Programs

All employees involved in any payment-related processes are required to undergo intensive, annual PCI DSS compliance training.

The training program covers secure payment practices, data protection protocols, advanced fraud detection techniques, phishing attack prevention, and immediate incident reporting procedures.

Refresher courses and compliance workshops are conducted periodically to ensure employees are updated with evolving payment security practices and industry threats.

4.5 Rigorous Vendor Management Controls

The Company enforces a stringent vendor management process that mandates all third-party service providers engaged in payment-related services to demonstrate ongoing PCI DSS Level 1 compliance.

Annual verification and collection of current PCI DSS compliance certificates from all payment service providers (including Stripe and Payoneer) are compulsory, with meticulous documentation maintained.

4.6 Enhanced Monitoring, Auditing, and Security Oversight

The Company implements robust monitoring protocols and systematic internal assessments to continually evaluate adherence to PCI DSS requirements.

Annual internal compliance audits are conducted in addition to any third-party assessments, ensuring proactive identification and remediation of potential gaps or risks.

Comprehensive audit logs and detailed compliance records are maintained for regulatory audits and internal governance purposes.

5. Responsibilities

5.1 Employee Obligations

All employees must adhere strictly to this PCI DSS Compliance Policy and fulfill all training and procedural requirements.

Immediate reporting of any suspected security incidents, payment fraud attempts, or suspicious activities is mandatory.

5.2 Client Responsibilities

Clients are expected to protect their payment credentials and ensure all payments to OneMed Billing are processed exclusively via secure, authorized payment links provided by the Company.

Clients are required to promptly notify the Company of any suspected fraudulent activity, payment irregularity, or security concerns.

6. Enforcement and Disciplinary Measures

Non-compliance with this policy shall result in strict disciplinary actions, which may include formal warnings, suspension, termination of employment or contractual relationships, and if applicable, legal proceedings. The Company reserves the right to escalate any serious breaches to relevant legal or regulatory bodies in the United States, United Kingdom, or India, in accordance with applicable laws.

7. Periodic Policy Review and Continuous Improvement

This PCI DSS Compliance Policy shall undergo a comprehensive review on an annual basis, or whenever significant changes occur in payment processing technologies, applicable regulations, or the operational scope of the Company. Continuous improvements are pursued proactively to ensure the policy evolves alongside best practices and emerging payment security threats.

8. Policy Dissemination and Availability

This policy is publicly available to all employees, contractors, clients, and regulatory authorities upon request. It is integrated into onboarding processes, contractual agreements, and corporate compliance documentation, ensuring maximum awareness and adherence.

9. Contact Information

For any inquiries, clarifications, or to report payment-related security concerns, please contact:

Payment Security Compliance TeamOneMed Billing Email: compliance@onemedbilling.org

Next Review Date:  01.01.2025
Version: 1