Securing your data.

Helcim is committed to helping our merchants stay secure and compliant. We undergo rigorous audits, testing, and inspections to maintain the highest level of compliance in the industry.

For more information, visit our trust center at trust.helcim.com

Data management.

Merchants trust Helcim to securely manage and protect customer payment data, removing their systems from security and compliance scope using tools like Card Vault, Helcim.js, hosted payment pages, and our developer API.

Daily Backups

Databases are automatically backed up daily to protect merchants against lost, corrupted, stolen or destroyed data. Backups are performed between data centers, as well as offsite. This is part of our commitment to ensuring ongoing business continuity.

Data storage

We use self-replicating database clusters to store transaction, cardholder, and merchant data, ensuring uptime and load balancing. Sensitive cardholder data is retained for up to 48 months of inactivity. Customer and merchant data is logically separated and inaccessible to each other. Access by authorized Helcim staff is logged for security and PCI-DSS compliance.

Network setup.

Helcim proactively safeguards data with firewalls, IDS, and IPS on servers. We conduct regular system updates and respond swiftly to major vulnerabilities by applying patches. Servers are hardened following security guidelines.

Firewalls and IDS/IPS

Helcim employs firewalls with Intrusion Detection and Prevention Systems to guard against active and passive threats. These systems monitor network traffic for abnormalities, malicious code, and vulnerabilities. Servers also have locally installed IDS and IPS to detect and warn system administrators of unusual activity. If suspicious activity is detected, the IPS will take the action required to protect the servers while alerting Helcim's security team for monitoring review.

System updates

The servers and networks appliances are regularly updated to ensure all software is up to date. If a major vulnerability is discovered, patches are applied immediately by Helcim's system and security team. Per our compliance, all updates are logged as part of our change-control policies.

Authentication & access controls.

To safeguard Helcim's data and systems, we enforce strict access controls, such as VPN requirements, defined user roles, multi-factor authentication, and comprehensive logging for network access and activity. Our internal office networks are isolated from platform environments and have restrict wireless access. Internal systems are only accessible by employees who are locally and physically connected to the network.

Deny-All Policies

Firewalls deployed to our server environments have deny-all policies by default. All connections for inbound and outbound traffic must be approved and added as new firewall rules.

Multi-factor authentication

Helcim requires multi-factor authentication for all staff and extends it to merchants for their internal compliance and requirements.

Password protection

Helcim uses a strict password standard for security. Passwords are always complex, changed regularly, hashed, salted, and users cannot reuse their previous 13 passwords.

Physical access

We select cloud data centre providers with 24/7 onsite security, including restricted physical access controls, multi-factor authentication, and biometrics for key personnel.

Encryption.

Helcim employs AES-256 encryption for all sensitive merchant and cardholder data, such as name, card numbers, expiry dates and cardholder address in order to meet PCI compliance. We do not store CVV, PIN, EMV, or mag data.

Information in transit

Helcim safeguards data in transit with TLSv1.2 and strong cyphers, excluding outdated SSLv3, TLSv1.0, and TLSv1.1 from our systems. This ensures that data is encrypted in transit and maintains integrity.

Service uptime.

Helcim devotes significant resources to ensure the most uptime possible for our networks and merchants. These safeguards include redundant virtual environments across cloud-based data centers, using service providers that utilize best industry practices including backup power generation and dual-path power distribution systems.

Compliance.

Helcim is a Level 1 PCI-DSS compliant service provider, by undergoing rigorous on-site audits, vulnerability scanning, penetration testing, and adherence to NIST security practices, all aimed at ensuring the highest level of data security compliance with the Payment Card Industry Data Security Standard.

HIPAA Compliant

HIPAA compliance for healthcare merchants.

For healthcare merchants processing patient payments, protecting sensitive health information is just as critical as protecting payment data. Helcim is fully HIPAA compliant, ensuring that Protected Health Information (PHI) is safeguarded with the same rigor we apply to our PCI-DSS obligations.

Our platform implements the administrative, physical, and technical safeguards required by the HIPAA Security Rule—including encryption at rest and in transit, strict access controls, audit logging, and Business Associate Agreements (BAAs) with all applicable vendors. This means clinics, dental offices, therapy practices, and other healthcare providers can accept credit card payments confidently, knowing their patients' data is protected at every step.

End-to-end encryption — PHI and payment data are encrypted both at rest (AES-256) and in transit (TLS 1.2+).

Business Associate Agreements — Helcim signs BAAs with healthcare merchants, formalizing our shared commitment to HIPAA compliance.

Access controls & audit logging — Role-based permissions, MFA enforcement, and comprehensive audit trails ensure accountability.

Tokenized payment storage — Sensitive card data never touches your systems, reducing both PCI and HIPAA scope for your practice.

Software development & testing.

Our in-house team follows secure coding practices, conducts code reviews, and performs regular vulnerability scanning and penetration testing to protect against threats.

Secure coding practices

All development follows strict secure coding standards based on OWASP guidelines. Code reviews are mandatory before any changes are deployed to production, with automated and manual security testing as part of our CI/CD pipeline.

Vulnerability scanning

Helcim performs regular internal and external vulnerability scans as required by PCI-DSS. These scans identify potential weaknesses in our infrastructure and applications, enabling us to remediate issues before they can be exploited.

Penetration testing

Helcim engages independent third-party security firms to conduct annual penetration testing against our network and application infrastructure, simulating real-world attack scenarios to verify the effectiveness of our security controls.

Frequently asked questions.

Helcim is a PCI Level 1 Service Provider, which is the highest security standard in the payment industry. We protect cardholder data using AES-256 encryption and enforce secure transmission protocols. Because we utilize tokenization through our Card Vault and Helcim.js, your customers' credit card details are sent directly to our secure servers, keeping sensitive data off your network and reducing your compliance liability.

The Helcim Card Vault is a secure tokenization system. It allows you to store customer credit card information for recurring billing or future purchases without actually keeping the card numbers on your systems. Instead, the data is stored in our secure, encrypted vaults, and we issue a unique token to your account. This removes your servers from security scope and keeps your business fully compliant.

Yes. All data sent between your systems, your customers, and Helcim is encrypted in transit using Transport Layer Security (TLS 1.2 or higher) and strong cryptographic ciphers. This ensures that sensitive information remains secure, private, and tamper-proof as it travels over the network.

Absolutely. To safeguard your account from unauthorized access, Helcim supports Multi-Factor Authentication (MFA) for all merchants and their staff. You can easily enable MFA in your account settings, requiring a secondary verification code when logging in to ensure your business settings and funds remain secure.

We protect our platform using advanced firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) that actively monitor network traffic and block potential threats. Our infrastructure is hosted in secure data centers with 24/7 physical security and biometric access, and we perform daily backups between data centers and offsite locations to guarantee business continuity.

Yes. Helcim undergoes annual on-site security audits conducted by independent third-party Quality Security Assessors (QSAs) to maintain our PCI Level 1 status. We also perform quarterly vulnerability scans, regular external and internal penetration testing, and continuous code reviews to ensure our software and infrastructure stay hardened against new vulnerabilities. You can learn more about our security controls by visiting our trust centre.

Start accepting payments today.

Create your free account instantly with no paperwork or commitments