Example engagement — illustrative
Helping a dental practice complete its PCI DSS self-assessment
Private dental practice (three chairs) · PCI DSS
The challenge
A private dental practice taking card payments for treatment plans was unsure which PCI DSS self-assessment questionnaire applied and worried its card handling left it exposed.
What we did
- Mapped how card data was taken — in person, over the phone and via a payment link
- Determined the right SAQ type for its payment setup under PCI DSS v4.0.1
- Moved telephone payments to a method that kept card data out of practice systems
- Documented policies, staff handling procedures and the annual attestation
- Completed and submitted the appropriate SAQ with its acquiring bank
The outcome
The practice completed the correct SAQ under PCI DSS v4.0.1 and reduced how much card data it handled directly.
Background
Any business that takes card payments has obligations under the Payment Card Industry Data Security Standard. For a small dental practice the difficulty is rarely a lack of will — it is working out which of the several Self-Assessment Questionnaires (SAQs) applies, because the answer depends entirely on how payments are taken. In this illustrative example, a three-chair private practice accepted cards at reception, occasionally took payment for treatment plans over the phone, and sent payment links for larger courses of work. That mixture left the practice manager unsure of the scope and quietly anxious that card details were lingering somewhere they should not.
What we did
We started by mapping the payment journeys rather than reaching for a questionnaire. Following the card data through each route — the terminal at reception, the phone calls, the emailed links — showed exactly where card details were entered, handled or stored. That map is what determines the correct SAQ under the current PCI DSS v4.0.1, and it also revealed the practical risk: taking card numbers over the phone was pulling card data into the practice’s own environment and widening its scope.
So we changed the process. Telephone payments were moved to a method that kept card data out of the practice’s systems entirely, which both reduced risk and simplified which questionnaire applied. With the payment flows tidied, we documented the supporting policies and staff handling procedures, confirmed the annual attestation, and completed the appropriate SAQ for submission to the acquiring bank.
Result
The practice completed the correct SAQ under PCI DSS v4.0.1 and, more importantly, handled markedly less card data directly than before. Reception staff had a clear procedure to follow, and the manager had confidence that the practice’s card handling would stand up to its bank’s scrutiny.
This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.