For online payments, patients are directed to a hosted patient portal or a secure third-party vendor site to enter their credit card information. The first option puts patient credit card data at risk and typically requires the PCI audit, which is the most detailed—and costly—audit in accordance with the PCI security standards..