ChiroSpring Pay - PCI Compliance - PCI Toolkit

If your practice is processing credit cards (either with a terminal or manual entry) then you are subject to PCI DSS (payment card industry data security standards).  In the past we used PCI Compliance systems like Sysnet and Viking Cloud. Now, for every ChiroSpring Pay customer, we are offering our own solution (provided by our backend partner, Stax) called PCI Toolkit.


Similar solutions cost over $200/yr. To benefit our customers and continue keeping our ChiroSpring Pay pricing clear and transparent, we are making this solution free for you! 😊


Failure to obtain PCI Compliance status will result in a monthly charge to your ChiroSpring Pay account of $54.95.  

Benefits of PCI Toolkit Service

- The service makes it easy to obtain PCI compliance status through a simple questionnaire process

- Practices with multiple locations may link their accounts to simplify the compliance process (only one questionnaire needs to be completed for all locations when linked)

- You are covered up to $100,000 for any incident specific to fees leveled and the cost of the audit and claims process

- Employee fraud is also covered up to the same $100,000

How to Enroll - PCI Toolkit Service  

One to two weeks after your ChiroSpring Pay account is activated you will receive an email from our PCI Compliance Partner (Conformancetech) to setup your PCI Compliance.  Follow the steps in this email to access the portal and setup your account. If you did not receive this email send your practice name and PMID to support@pcitoolkit.com. Ask them to resend your PCI Toolkit Welcome Email.


Once you have successfully received the email and logged into the PCI Toolkit Portal continue with the steps below.


Sign Into PCI Toolkit Portal

Click to Sign into the PCI Toolkit Portal

Step 1

The first step of the toolkit is a questionnaire that determines what category (referred to as an SAQ) your practice belongs to based on the type of credit card processing you perform. Please review the list below carefully before you start the questionnaire to determine the correct SAQ. Then follow the instructions on completing the Step 1 questionnaire for your SAQ Category. 


If you belong to multiple categories, choose the option that occurs most often.

  • SAQ C-VT - Manual Entry Only (not using a terminal). All credit card transactions are entered virtually into ChiroSpring.
  • SAQ B-IP - Using a terminal to process payments (and/or manual entry).
  • SAQ A - Choose this option if your patients are paying with links (statements) or through the kiosk.

We have provided answers to these initial questions to ensure you are lead down the path into the correct SAQ. Upon completion of the Step 1 questionnaire, you will be assigned an SAQ (self-assessment questionnaire) for Step 2.


Resetting Questionnaire to Get Into Correct SAQ

It is important that you are categorized correctly in this first step to avoid being assigned to the wrong SAQ. If you have already completed this step and believe you were categorized incorrectly, you can reset the SAQ Category in two ways:

  1. Reach out to the PCI support team via the Support tab of the toolkit and ask them to reset the SAQ for you.
  2. Go back to where your SAQ Type is listed, along with Step 1 and Step 2, etc. Clicking on your SAQ type will give you the option to retake the Step 1 questionnaire to re-assign you. 

Tip: If you aren't sure which category you belong to, reach out to us at service@chirospring.com to let us know in your own words how you obtain card data and process payments. We will be happy to identify your SAQ group for you!


To get started click "Next" under “Step 1 Information”. 

SAQ C-VT

Here is how you'll want to answer the questions in Step 1:

  1. MOTO
  2. Virtual Terminal
  3. I type them in using a keyboard
  4. We cannot answer this for you, but can advise that card data collected via PQ is stored at the payment processor exclusively. The payment system does not allow you to see full card data.
  5. For questions 5 through 9, please double check your own operations but in general these should be No.

SAQ B-IP

Here is how you'll want to answer the questions in Step 1:

  1. Face to Face
  2. Stand Alone Terminal
  3. No
  4. Select WiFi or Network cable (ethernet cord) accordingly, then manually enter Dejavoo and QD2.
  5. We cannot answer this for you, but can advise that card data collected via PQ is stored at the payment processor exclusively. The payment system does not allow you to see full card data.
  6. For questions 6 through 9, please double check your own operations but in general these should be No.

SAQ A

Here is how you'll want to answer the questions in Step 1: 

  1. Ecommerce
  2. I have a website that I sell goods or services on and/or accept payments online
  3. It is hosted and managed by a PCI Compliant provider
  4. When credit card data is collected, it is collected on a PCI DSS validated third party website. 
  5. For questions 5 through 9, please double check your own operations but in general these should be No.

Step 2

Once you have completed Step 1 and have been assigned your SAQ, you will be assigned a Step 2 questionnaire. 

If you are confident that you do not hold cardholder data outside of ChiroSpring, you can answer Yes to all the questions in Step 2. Any card data you collect via ChiroSpring is held at the payment processor and is within the standards of the industry. 

Tip: If you are unsure whether you hold card data outside of ChiroSpring, please reach out to us at service@chirospring.com  for assistance. 

Step 3 (Vulnerability Scan - SAQ A and B-IP Only)

Some of our users (SAQ categories A and B-IP) will also be required to perform a vulnerability scan.  

If you manually input any card details, you should be using the  public IP Address (look up your IPV4 by going to https://whatismyipaddress.com) of the network where the user is inputting cards. However, if you only have clients enter their own card details online, this would be done via ChiroSpring's IP ( 20.119.98.13) and that address may be entered. The scan will perform on a 12 hour rotation, so it should be done by the following day. 

You will be notified of the scan results by email and through the toolkit dashboard.  

Step 4 (SKIP THIS STEP DOES NOT APPLY)

Step 4 should not be required for any ChiroSpring Pay users. If you have been assigned a Step 4 task, please review your SAQ Category above and reset the SAQ to begin back at Step 1. You can reset the SAQ Category in two ways: 
  1. Reach out to the PCI support team via the Support tab of the toolkit and ask them to reset the SAQ for you.
  2. Go back to where your SAQ Type is listed, along with Step 1 and Step 2, etc. Clicking on your SAQ type will give you the option to retake the Step 1 questionnaire to re-assign you. 

Step 5 (Enter Name & Title to Complete)

This is for you to submit your attestation for compliance.  

When you select "click here to attest", enter your Name and Title. Then step 5 will be marked as Confirmed and you can download your certificate.

Once you submit your attestation step 5 will be marked as Confirmed and you can download your certificate.

Ongoing Tasks

Each user will be assigned several ongoing tasks. These tasks are future dated to keep compliance and security on your mind throughout the year, until you re-attest to compliance in 12 months.  
You can simply click and confirm to complete them whenever you choose. 

Linking Locations

Merchants with multiple locations that all take payments in the same way (CNP for example) can be linked together so one questionnaire can be used for all locations. To link locations follow the steps below.

    1. First complete the initial compliance for one of your locations.
    2. Create a support request through the PCI Toolkit (portal). In the support request, please include the DBA name and PMID of the master account and sub-accounts. CLICK HERE to locate your PMID.
    3. As compliance is at a PMID level and varies based on how payments are processed, this is a manual step to ensure signoff that each sub PMID is processing in the same manner as the AOC you are looking to link it to.
    4. All PMIDs need to be compliant for the master account to be considered to be compliant.

It is worth noting that if you are validating once for all locations, all locations will be subject to a “Failed Questionnaire” if the primary location fails.

Support for PCI Toolkit

All support questions can be made inside the PCI Toolkit Portal.  Or, send an email to support@pcitoolkit.com.  Make sure you include your practice name and PMID. PMID can be found under your Subscription Overview.

Still need help? Contact Us Contact Us