ChiroSpring Pay - PCI Compliance - PCI Toolkit

If your practice is processing credit cards (either with a terminal or manual entry) then you are subject to PCI DSS (payment card industry data security standards).  In the past we used PCI Compliance systems like Sysnet and Viking Cloud. Now, for every ChiroSpring Pay customer, we are offering our own solution (provided by our backend partner, Stax) called PCI Toolkit.


Similar solutions cost over $200/yr. To benefit our customers and continue keeping our ChiroSpring Pay pricing clear and transparent, we are making this solution free for you! 😊


Failure to obtain PCI Compliance status will result in a monthly charge to your ChiroSpring Pay account of $54.95.  


Benefits of PCI Toolkit Service

- The service makes it easy to obtain PCI compliance status through a simple questionnaire process

- Practices with multiple locations may link their accounts to simplify the compliance process (only one questionnaire needs to be completed for all locations when linked)

- You are covered up to $100,000 for any incident specific to fees leveled and the cost of the audit and claims process

- Employee fraud is also covered up to the same $100,000


How to Enroll - PCI Toolkit Service  

One to two weeks after your ChiroSpring Pay account is activated you will receive an email from our PCI Compliance Partner (Conformancetech) to setup your PCI Compliance.  Follow the steps in this email to access the portal and setup your account.  


PCI Toolkit Steps

- Complete your business profile (only needs to be completed once)

- Determine which SAQ fits your practice.  The most common for chiropractic practices are:

- Using a Terminal - then choose B or B-IP. 

- Manual Entry Only - then choose C-VT or A.  


None of the options below require a penetration test on your network.

- Complete the self assessment questionnaire (SAQ).  This questionnaire asks questions about your practice, network, processing workflows, and security.  

- Complete Attestation - Attest to the results of the compliance test.  Your PCI compliance will be valid for 1 year (must be repeated annually to remain PCI compliant).  

Non-PCI Compliance

- After 90 days from your ChiroSpring Pay activation, if you have not completed your PCI Compliance testing, then your account will be considered Non-PCI Compliant. 

- A charge of $54.95 applies to any account that is non-PCI compliant.

Linking Locations

Merchants with multiple locations that all take payments in the same way (CNP for example) can be linked together so one questionnaire can be used for all locations. To link locations follow the steps below.

    1. First complete the initial compliance for one of your locations.
    2. Create a support request through the PCI Toolkit (portal). In the support request, please include the DBA name and MID of the master account and sub-accounts. If you do not know your MID you may ask us at service@chirospring.com.
    3. As compliance is at a MID level and varies based on how payments are processed, this is a manual step to ensure signoff that each sub MID is processing in the same manner as the AOC you are looking to link it to.
    4. All MIDs need to be compliant for the master account to be considered to be compliant.

It is worth noting that if you are validating once for all locations, all locations will be subject to a “Failed Questionnaire” if the primary location fails.

Support for PCI Toolkit

All support questions can be made inside the PCI Toolkit Portal.  Or, send an email to support@pcitoolkit.com.  Make sure you include your practice name and PMID.


Sample Questions With Our Answers

The below are questions that may be beneficial to you as they pertain to ChiroSpring and/or our servers.


Link Here


Vulnerability Scan

After finishing their SAQ, PCI Toolkit will require a scan to be scheduled for Step 3 of the PCI Compliance process if the user completed SAQ A, A-EP, B-IP, C, or D.

  • User will select “Next”. under the column “Step 3 scanning”


  • User will arrive at “Submit IP/Domain Information” screen where they will be asked to fill out the IP or website address for scanning and then click “Submit”. If your IP is not known, google search ‘what is my IP’ to find your public address or assistance with finding a private address.

  • After scheduling a scan, the site will redirect the user back to the dashboard. ( As noted on the “schedule a scan” page, scanning results can take up to 24 hrs to populate into the portal; however, in most scenarios, results will populate by the beginning of the following Business day.)
  • Once back at the dashboard they can click on the “Scan Info” hyper link.

(By clicking this button, PCI Toolkit will show the date the scan will be assessed and/or allow them to schedule another scan if needed.)

  • Once scan results are available. The dashboard will reflect if the scan is passed or failed.

  • The user can click “Scan Info” hyperlink and the report will be available to download via “Get Report” button.

If the scan is failed, user will need to update vulnerabilities noted in the report and reschedule a scan.

If the scan is passed, user can move forward with next required task on the dashboard.

Still need help? Contact Us Contact Us