Allison —
Yōni.Fit has a problem that no one has told you about, and it is the single most urgent issue in the company.
Today, when a customer places an order on yonifit.com, her card information is captured through an unsecured web form on the website and then manually keyed into WooCommerce by a member of your team. This pattern violates Stripe's Services Agreement and the PCI DSS standard that every card-accepting merchant is contractually bound to. A single compromise of that form data — a breach of the WordPress site, an unauthorized access to the inbox where submissions are stored in plaintext, or any device with access — triggers forensic audit costs, fines, mandatory breach notifications, card brand penalties, and civil exposure that routinely exceed $100,000 before litigation. For a company at this stage, that ends the business.
I do not think anyone has been straight with you about this yet. Katlyn asked me to take a careful look at the payment side of the business, and what I found goes beyond payments. This document walks you through it.
The critical issue must be resolved in the next two weeks. The rest can be addressed alongside it.
SüRJ is built around four pillars, in this order:
The findings below come from the second pillar. The recommendations come from the third. What we are asking for at the end of this document is the start of the fourth.
This is the issue described above, and it warrants a closer walk-through because most founders are never told the specifics.
The current checkout flow on yonifit.com captures raw cardholder data — primary account number, expiration, security code, billing address — through a standard WordPress form. That data is then transmitted, stored, and accessed by your team in an environment that does not meet any payment processor's security requirements and does not meet PCI DSS. A team member then enters the captured card data manually into WooCommerce to charge the customer through Stripe.
Three concrete exposures result from this:
It is not permitted under your Stripe agreement. Stripe's Services Agreement and Restricted Businesses policy require that card data be collected through Stripe's tokenized environments — Checkout, Elements, or Payment Links — never through merchant-controlled web forms with manual entry. If Stripe identifies the pattern through a chargeback investigation or routine review, the account is frozen. Your ability to accept payment disappears overnight.
It places yonifit.com in PCI DSS scope at its highest level. PCI DSS v4.0 requires that any system storing, processing, or transmitting cardholder data meet roughly 330 specific controls — encryption at rest (Requirement 3), encryption in transit (Requirement 4), quarterly external vulnerability scans, annual penetration testing, restricted access logging, documented incident response, and more. The current setup meets none of these and cannot be made to meet them economically.
The downstream cost of a single incident is the business. A breach of the form, an unauthorized access to the inbox where submissions are stored in plaintext, or any device with access initiates a forensic investigation (typically $50,000–$75,000 minimum), card brand fines ($5,000–$10,000 per month per violation), per-card penalties ($50–$90 per compromised card), state breach notification costs, civil litigation exposure, and the loss of the merchant account itself. For a company at this stage, this is an extinction event — not a setback.
The remedy is not Stripe. The remedy is replacing the entire payment infrastructure with a properly tokenized integration through Dejavoo on WooCommerce. This brings yonifit.com into PCI DSS SAQ A scope (the simplest level, ~22 questions) and eliminates the manual-entry exposure permanently. We complete this remediation in the first week of the engagement.
The "Stay Updated" homepage form, the ePrescribe intake, and the provider kit request all collect information that — given the medical nature of Yōni.Fit and the explicit role-selection options on these forms — falls within HIPAA's definition of Protected Health Information. WordPress and standard form plugins do not provide a Business Associate Agreement, the legal instrument required for any vendor handling PHI on behalf of a covered entity. This creates direct HIPAA liability for both Yōni.Fit and any prescribing provider whose patients use your forms. We migrate these to a BAA-covered platform as part of the engagement.
The homepage is built in WPBakery Page Builder, and the seams show. The size-chart section appears twice in conflicting layouts. The video grid uses flat black labels in a way that reads more like a product listing than a women's health brand built on dignity. The Instagram feed dump at the bottom reads as page-builder default, not editorial choice. The line "Dignity comes in many sizes (six of them, to be exact)" is the strongest copy on the site, and it is buried beneath two duplicated grids fighting for attention. A measured cleanup of these sections — keeping the brand voice that is working — substantially raises how the site reads to a first-time visitor.
The site's viewport configuration explicitly prevents pinch-zoom on mobile. For a product whose primary audience skews 40+ and may have visual or motor impairments, this is hostile UX and a documented ADA exposure. Companies have been sued for less. This is a one-line code fix.
A prospective patient who fills out "Get a Yōni.Fit" today receives no structured follow-up. There is no nurture sequence helping her have the prescription conversation with her provider, no reminder, no resource sent. Whatever percentage of these visitors abandon the prescription path are abandoning silently. A five-touch automated nurture sequence — text and email, branded to Yōni.Fit, sent through a HIPAA-compliant platform — recovers a meaningful percentage of these.
"For Providers" is a content section, not an operational system. Providers requesting kits receive no structured onboarding sequence, no re-order workflow, no patient-tracking interface. The provider channel is the lever that takes Yōni.Fit from direct-to-consumer single-unit sales to per-clinic recurring volume. It deserves real infrastructure. This sits in our future scope, not the immediate engagement.
The current plugin load slows page rendering enough to affect both conversion and search ranking. For a prescription product where prospective patients search terms like stress urinary incontinence treatment or alternative to surgery, organic search visibility is meaningful revenue. The cleanup work in finding #3 also addresses this.
Logo treatments vary across pages. Type hierarchy is erratic. Color usage lacks discipline. Each item is small on its own; together they undermine trust at exactly the moments when a first-time visitor is deciding whether Yōni.Fit feels like a real medical device company or a Shopify side project.
A single, integrated engagement covering immediate remediation and operational foundation.
Replace the unsecured web form and Stripe-based manual entry with a properly tokenized Dejavoo + WooCommerce integration. Audit and securely purge any historical form-submitted card data. Document the change with a written remediation memo for the file. By end of week one, yonifit.com is in PCI DSS SAQ A scope and out of Stripe TOS exposure entirely.
Migrate all PHI-touching forms to a HIPAA-compliant platform with a signed BAA. Build the patient nurture sequence (five touches, text and email, branded to Yōni.Fit). Build the provider follow-up sequence. Address the worst aesthetic and accessibility issues identified above. Establish the SüRJ platform with quarterly check-ins through year one.
SüRJ is the right first call for the work above. Through our ISO partnership with Electronic Payments, Inc., we have direct access to QSA-credentialed firms, formal compliance partners, and specialized remediation resources for the moments those are needed. We orchestrate them. We do not hand you off.
For the work in this engagement, our team handles it directly.
I am Steve Wilson, founder of Recherché Merchant Solutions and SüRJ. Eight years in payment processing and merchant compliance. Ten years in insurance. Twenty-five years total in B2B consulting. The last two years building custom web, graphics, CRM, and software systems for businesses that have outgrown what got them here.
This is the kind of work my team does every week. The family connection through which this conversation began is one we take seriously, and we would rather decline an engagement than misfit one.
Built for this proposal. Trained on the details. Ready to answer.
Click Ask Quinn in the corner of this page to start. When something needs a real conversation, Quinn will tell you and route it to me directly.
A small example of the kind of intelligent operational tool we build into client systems.
Thirty minutes, in person. We come to you. The findings in this document are not exhaustive — there are several we left out for length, including some we would prefer to discuss directly rather than commit to writing. The card-collection issue alone warrants the meeting.
Schedule the meetingIf you choose not to work with us, that is entirely fine. But the critical issues must be resolved in the next two weeks regardless of who resolves them.
Do not row with holes in the boat.
This proposal will be held open through the end of the month.
All meetings are conducted in person. We will travel to your location. The session typically runs 30–45 minutes; please allow flexibility for the deeper discussion the findings warrant.