Security & compliance

Your card never lives on our servers

AETHRAFORM uses Helcim as its payment processor specifically because of its security posture. Helcim is a Level 1 PCI-DSS compliant service provider — the strictest tier defined by the Payment Card Industry — and the practice operates under a Helcim HIPAA Business Associate Agreement.

The page below summarizes the security controls Helcim documents publicly. For our official record, see Helcim's security page at helcim.com/security.

Back to payment optionsHelcim security page

Security controls

The technical safeguards Helcim applies to every transaction handled on our behalf.

Level 1 PCI-DSS service provider

Level 1 PCI-DSS

Helcim maintains the highest tier of PCI compliance through rigorous on-site audits, vulnerability scanning, penetration testing, and adherence to NIST security practices.

AES-256 encryption at rest

AES-256

All sensitive merchant and cardholder data — including names, card numbers, expiry dates, and cardholder addresses — is stored with AES-256 encryption.

TLS 1.2+ in transit

TLS 1.2+

Card data moves between your device and Helcim only over TLSv1.2 connections with strong cyphers. Outdated SSLv3, TLSv1.0, and TLSv1.1 are explicitly excluded.

Card Vault tokenization

Tokenization

When you save a card for a treatment plan, Helcim returns a one-way token. We can charge that token for follow-up visits without ever seeing or storing the underlying card number.

Hosted iframe checkout

PCI scope reduction

HelcimPay.js renders the payment form inside a Helcim-controlled iframe. Card numbers, expiry, and CVV are typed directly into Helcim and never traverse the practice’s servers.

Multi-factor authentication

MFA

Multi-factor authentication is required for all Helcim staff accessing production systems and is available to every merchant operating the dashboard.

IDS/IPS + 24/7 monitoring

24/7

Production infrastructure sits behind firewalls with intrusion detection and prevention systems, with continuous monitoring of suspicious activity.

Daily encrypted backups

Daily

Helcim runs daily automated backups stored across multiple data centers and offsite, protecting transaction records against single-region failures.

What Helcim never stores

PCI-DSS prohibits long-term storage of these data elements. Helcim does not retain them at any point in the transaction lifecycle.

  • CVV / card verification value
  • PIN numbers
  • Full EMV chip data
  • Magnetic-stripe track data

HIPAA

HIPAA Business Associate Agreement in place

Healthcare merchants need a Business Associate Agreement (BAA) with any vendor that could touch protected health information. Helcim signs HIPAA BAAs on request, and AETHRAFORM operates under that BAA. Any payment-related personal data exchanged with Helcim — including names tied to medical procedures — is covered by HIPAA safeguards.

Frequently asked questions

What does "Level 1 PCI-DSS" mean?
Level 1 is the strictest tier of the Payment Card Industry Data Security Standard, applied to processors handling the largest transaction volumes. Maintaining it requires annual on-site audits, quarterly external scans, penetration testing, and continuous compliance evidence.
Does my card number ever touch AETHRAFORM’s servers?
No. HelcimPay.js renders the payment form inside an iframe served from Helcim’s domain. Card details flow directly from your browser to Helcim. We receive only a transaction result and a tokenized reference.
How does Helcim protect data at rest?
Helcim encrypts sensitive merchant and cardholder data — names, card numbers, expiry dates, cardholder addresses — with AES-256. Backups are encrypted as well and stored across multiple data centers.
Is there a HIPAA Business Associate Agreement?
Yes. Helcim signs HIPAA BAAs on request for healthcare merchants. AETHRAFORM operates under that BAA so any payment-related personal data exchanged with Helcim is treated as protected health information.
How long is sensitive cardholder data retained?
Helcim retains sensitive cardholder data for up to 48 months of inactivity, after which it is purged according to PCI-DSS retention rules.

Disclosures

  • Security and compliance details on this page summarize Helcim’s public documentation. The authoritative source is Helcim’s own security page at helcim.com/security.
  • Payments on aethraform.com are processed by Helcim, a Level 1 PCI-DSS compliant payment processor. AETHRAFORM never receives or stores full card numbers.
  • Card brands, network availability, Apple Pay / Google Pay support, and ACH transfer eligibility are determined by your card issuer, device, and Helcim’s availability — not by AETHRAFORM.
  • For information about financing third-party loans (CareCredit, Alphaeon, PatientFi, Cherry), see /financing-options. Helcim is the merchant processor only and does not extend credit.