In almost all cases, merchants are dependent on other 3^rd parties to operate controls essential for their own PCI compliance. Under PCI, this does not absolve a business entity of responsibility for these controls; at minimum, they must obtain attestation from their 3^rd party vendors that they are operating their own controls in full compliance with PCI.

Likewise, the business entity must understand which controls it is responsible for operating. A common misconception is that an entity can fully outsource its PCI responsibility by utilizing PCI compliant vendors.  In almost every case, the entity will retain at least a small number of controls it must maintain, in conjunction with ensuring its vendors are PCI compliant.

With this understanding in mind, DPX has developed the matrix below identifying who (DPX, clients, or both) is responsible for operating to ensure PCI compliance.

DPX completes a PCI DSS compliance assessment annually by a PCI Qualified Security Assessor (QSA). The annual assessment is completed using the PCI provided Report on Compliance (ROC) template. Proof of completion of this assessment is provided to DPX clients by emailing compliance@echohealthinc.com.

Overview of Scope

DPX assists in the collection of payments on behalf of Payer Clients. Payment processing occurs as described below:

1. The Payer client initiates the process to provide payment through one of two ways (depending on the line of business): (1) a link sent to the Payee via an email that takes the Payee to an DPX hosted webpage (Payee Portal); or (2) via an iFrame present on a client hosted web page. Payees their claim information to log in and begin the payment process.
2. The payment page is present from the ECHOVault via an iFrame through the client hosted web page or Payee Portal.
3. For certain payment methods, Cardholder data is entered by the Payee and sent directly to the  ECHOVault, which then passes it on to the applicable third-party for payment processing. Encrypted cardholder data is stored within the ECHOVault to provide the contracted services.
4. Transaction validations are returned to Payees via the Payee Portal or Client hosted web page

Responsibility Matrix

If Client is leveraging their own hosted payment page directing Payees to the payment page hosted by the ECHOVault, they are responsible for applicable requirements outlined in the matrix below. This responsibility matrix assumes the Client is qualified for SAQ version A for this contracted service. Applicable requirements for Payer Clients to apply to their compliance scope include those noted as “Client” or “Shared.” Definitions for these designations are as follows:

• Client – compliance with this requirement is the responsibility of Payer customers for the service(s) provided.
• Shared – Each entity is responsible for attesting to compliance with the requirement for their respective compliance scope. Additional information can be found in the commentary column for each requirement.

Notes:

1. This responsibility matrix applies only to the payment process outlined within this document. Clients are responsible for defining their own PCI compliance scope. Where applicable, Clients should seek guidance from a valid Qualified Security Assessor (QSA).
2. The controls matrix below references PCI DSS 4.0.
3. Controls not listed are the sole responsibility of DPX.