Get a Discount
Unlock Unbeatable Savings: ACH Processing at 10 Cents per Transaction!
Contact Us

Updated by 06.22.2023

E-Complish Achieves PCI DSS, HIPAA, SOC 2, and Nacha Recertifications

Payment solutions company continues to meet and exceed very stringent security standards


Continuing a flurry of accomplishments that have also included acquisitions, new partnerships, and additions to its menu of solutions consecutive, E-Complish has – for the 13th consecutive year – been certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS). Additionally, the payment solutions and services provider has been recertified for its compliance with standards contained in the Security Rule component of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as with SOC 2 criteria developed by the American Institute of CPAs (AICPA) to manage customer data based on five “trust service principles.” It also successfully completed its annual Automated Clearing House (ACH) audit, ensuring its compliance with all rules and regulations set by Nacha, which governs the ACH network.

E-Complish remains fully adherent to DSS 3.2.1, the strictest, all-encompassing version of PCI-DSS standards to date. Developed and enforced by the PCI-DSS Standards Council, the PCI-DSS comprises a series of measures designed to thwart fraud. Merchants. Payment processors, and credit card service providers are required to exercise these measures to safeguard and ensure consumers’ credit card information security. While all businesses that accept, handle, process, or store credit card information must comply with these measures, the extent of required compliance varies by merchant level as categorized in the PCI-DSS.

E-Complish is a designated Level 1 PCI-DSS 3.2.1 Service Provider—the highest of four merchant levels. To hold this designation and to be certifies as PCI-compliant, the company must undergo an assessment by a third-party Qualifies Security Assessor (QSA) to evaluate whether and to what extent it meets the requirements outlined in the 12 sections of the PCI-DSS 3.2.1. The requirements encompass more than 300 elements, and the QSA must obtain several thousand pieces of evidence and conduct a physical inspection in conducting its assessment.

In addition, the successful completion of a security assessment by a third-party firm also led to the recertification of E-Complish’s compliance with HIPAA. Applicable to all entities that handle patients protected electronic health information (ePHI), HIPAA comprises physical, network, and process security standards. These entities must, in accordance with the HIPAA Security Rule, implement and exercise administrative, physical, and technical safeguards to ensure the security of ePHI.

The HIPAA security assessment entailed an exhaustive, meticulous review of policies and procedures, network and data flow diagrams; physical and environmental security; disaster recovery backup processes; vulnerability management; penetration testing, system hardening standards, and other pertinent areas. The independent third-party security audit also closely examined E-Complish’s patch management; access control; data storage, logging, auditing; security monitoring and incident response practices and methods.

Similarly, E-Complish’s SOC 2 recertification follows an assessment by outside auditors who investigated the extant to which the payment solutions provider complies with one or more of the five trust principles based on systems and processes in place at the company. These trust principles include security (protection of system resources against unauthorized access), availability (accessibility of systems, products, or services as stipulated by contract or service level agreement), and processing integrity (offering complete, valid, accurate, timely, and authorized data processing). Two additional trust principles center on the preservation of data confidentiality (via encryption, network, and application firewalls, and rigorous access controls) and privacy (the collection, use, retention, disclosure, and disposal of customers’ personal information in conformity with individual organizations’ privacy notice, along with criteria outlined in the AICPA’s generally accepted privacy principles.

Rounding it out, the rules-based ACH audit, conducted by Accredited ACH Professional, included and= in-depth examination of each facet of E-Complish’s ACH operations, from receipt processes and internal and external origination to related agreements and forms. “Nacha requires every participating financial institution and Third-Party Sender/Service Provider to conduct an annual audit of its ACH operations and related processes,” noted E-Complish ACH Analyst Jennifer Fiels, who headed up the AVH audit project. “Our successful completion of the audit if proof positive that we are compliant with the most current ACH rules and regulations, which can change over time.”

Greg Gaines, E-Complish’s Director of Compliance and Client Support, said the payment processing company has defined plans for adherence of the PCI-DSS, the HIPAA Security Rule, SOC 2, and Nacha rules and regulations. “Diligence on all four fronts remains the watchword for us, in keeping with our commitment to ensuring the security of all our customers’ data—from credit card information to ePHI and beyond,” Gaines noted. “PCI DSS, HIPAA, SOC, and Nacha rules and regulatory compliance is critical to our mission to help the merchants we serve and afford the same high-level protection to all its customers, clients, and patients.”

E-Complish CEO and Chief Security Officer Stephen Price agreed, adding the “working with a certified PCI, HIPAA, SOC 2, and Nacha compliant payment processing company is the best defense businesses of all kinds can mount against compromise to the privacy and integrity of their customers’ data—not to mention potentially devasting damage to their reputations.”

“The risk of data breaches and compromise in increasing every day and will continue to increase as perpetrators develop new schemes and ways to perpetuate them,” Price said. “This makes it more important than ever for merchants to go the extra mile when it comes to data protection. Choosing a PCI-, HIPAA-, SOC 2, and Nacha-compliant payment processing partner is one effective way to do so. By certifying our compliance, we can be that partner now and going forward.”


Marc Hopkins
Vice President of Strategic Relations, E-Complish, Inc.