Case Study
Audit-Ready Infrastructure: PCI and SOC 2 Compliance for a National Medical Billing Platform
How netMethods managed the private cloud infrastructure and remote office environments for a national healthcare SaaS platform — and led the engagement that delivered clean PCI and SOC 2 Type II audits with zero findings.
The Situation
A national SaaS medical billing platform — whose software is used by some of the largest hospital systems in the country — processes highly sensitive financial and patient data at scale. That combination of payment card data and protected health information places the platform squarely in the crosshairs of two of the most rigorous compliance frameworks in any industry: PCI DSS (Payment Card Industry Data Security Standard) and SOC 2 Type II.
netMethods doesn’t manage the application itself — the platform’s own engineering team owns the software. What netMethods manages is everything the application runs on: the entire private cloud infrastructure that hosts the platform, and the remote office environments that the company’s internal teams depend on to operate the business. When it came time to face formal audits for both PCI and SOC 2, that infrastructure had to be demonstrably compliant — documented, controlled, and audit-ready in every detail.
The Challenge
PCI DSS requires rigorous controls around any environment that stores, processes, or transmits cardholder data — including the infrastructure layer beneath the application
SOC 2 Type II evaluates not just whether controls exist, but whether they operated consistently over an extended observation period — a much higher bar than a point-in-time assessment
The private cloud environment had to demonstrate network segmentation, access controls, encryption, logging, and change management practices that could withstand auditor scrutiny
Remote office environments needed to meet the same security standards as the primary infrastructure — every endpoint, every connection, every user
Any gap in the infrastructure layer — regardless of how well the application itself was designed — would result in an audit finding that reflected on the entire platform
The Approach
Gap Assessment Against Both Frameworks
netMethods conducted a thorough assessment of the managed infrastructure against the PCI DSS and SOC 2 Trust Services Criteria requirements, identifying every control gap that needed to be addressed before audit. Rather than treating the two frameworks as separate workstreams, we mapped the overlapping requirements to avoid duplication and ensure that controls implemented for one audit supported the other wherever possible.
Infrastructure Hardening & Segmentation
The private cloud environment was reviewed and hardened across every relevant control domain. Network segmentation was verified and documented to ensure that cardholder data environments were appropriately isolated. Firewall rule sets were audited and tightened. Encryption was confirmed across all data in transit and at rest. Access controls were reviewed against the principle of least privilege, with every administrative account documented, justified, and subject to multi-factor authentication.
Logging, Monitoring & Change Management
SOC 2 Type II requires evidence that controls operated consistently over time — not just that they were in place on audit day. netMethods ensured comprehensive logging was in place across the infrastructure, with centralized log management, alerting, and retention policies that met both frameworks’ requirements. Change management procedures were formalized and documented so that every infrastructure change was tracked, reviewed, and traceable throughout the audit observation period.
Remote Office Environment Compliance
The company’s remote office environments — including endpoint devices, network connections, and user access to internal systems — were brought into alignment with the same security standards applied to the primary infrastructure. Endpoint protection, encrypted communications, access controls, and policy enforcement were standardized across every remote location.
Audit Support & Evidence Package
When auditors arrived, netMethods worked directly alongside the client’s team to respond to information requests, provide infrastructure documentation, and walk assessors through the control environment. The evidence package — covering network architecture diagrams, access control records, change logs, monitoring reports, and policy documentation — was prepared in advance and organized for efficient auditor review.
The Outcome
The platform passed both the PCI DSS and SOC 2 Type II audits with zero findings. Every infrastructure control was verified, every piece of evidence was in order, and the audit process proceeded without surprises. For a company whose entire business depends on the trust of major hospital systems and their patients, a clean audit isn’t just a compliance checkbox — it’s a fundamental part of what makes the product viable in the market.
netMethods continues to manage the infrastructure on an ongoing basis, maintaining audit readiness as a continuous posture rather than a periodic scramble — so that when the next audit cycle arrives, the answer is already yes.
Results at a Glance
PCI DSS audit passed — zero findings
SOC 2 Type II audit passed — zero findings
Full private cloud infrastructure managed and audit-ready
Remote office environments brought into compliance alignment
Comprehensive evidence package delivered for both audit frameworks
Ongoing infrastructure management maintains continuous compliance posture
About netMethods
netMethods is a managed IT services provider headquartered in Lake Forest, CA, with over 25 years of experience supporting organizations across Orange County and Southern California. We specialize in managed IT, cloud infrastructure, IT security, and practical AI solutions for healthcare, manufacturing, public sector, and professional services organizations.