Trust & compliance
Compliance posture for the patient-pay leg
Payments-industry compliance — PCI, SCA, sanctions / AML, scheme programme
posture — carried on the merchant's behalf. HIPAA is out of scope because the
platform's data scope excludes PHI by design.
- PCI DSS Level 1
- Annual on-site assessment plus quarterly ASV scans; sub-merchants inherit the posture across every connected acquirer.
- SCA & PSD2 (EU)
- Selective EMV 3DS2 keeps European patient-pay approval high without skipping the SCA bar.
- NACHA / SEPA mandate handling
- ACH and SEPA Direct Debit mandates captured and retained per scheme rules; mandate IDs travel with each recurring authorisation.
- Sanctions & AML alignment
- Sanctions screening at onboarding; AML monitoring tuned per merchant's vertical and volume profile.
- Not a HIPAA-covered entity
- topropay does NOT operate in insurance claim adjudication, does NOT handle Protected Health Information (PHI), and is NOT a HIPAA business associate or covered entity. Payment metadata is scoped to invoice reference only.
- Licensed verticals only
- Licensed dental, vet, mental-health, aesthetics, telehealth and wellness merchants supported where current operating licences exist. Grey-market or unlicensed healthcare-adjacent operators are out of scope.